Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/18/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Your People Can't Secure Your Network? Try Tier 0 Automation

Keeping up with modern security requirements requires a multi-prong approach. One way to ensure that threats are being met is to ignore the false alerts. This is where Tier 0 automation comes in.

Security alerts don't come in a slow, steady drip-drip-drip.

Instead, as any triage specialist will tell you, it's a fire hose of warnings. Dashboards show a non-stop barrage of yellow lights indicating warnings, punctuated with a few more urgent red lights.

An increasing quantity of alerts -- can we call it an increasing velocity? -- has several implications:

  • A greater number of alerts should be investigated by Tier 1 InfoSec staff -- the ones usually charged with doing triage.
  • Because there's a lack of qualified staff (and because there's high turnover, and replacements are expensive to hire and train), that means more alerts per employee.
  • Since each employee is handling more alerts, there's greater opportunity to waste time investigating a false positive, or to miss an incident.
  • Also due to overload, staff might be tempted to take shortcuts and skip some investigations.
  • And because attacks can be slow moving and cross multiple silos, the fire hose might stop staff from making some correlations -- and again, missing an incident.

This isn't hypothetical. To quote from the newly released Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 17% of defenders in India reported 250,000 to 500,000 alerts per day. Of those, the study shows that only 61% of alerts are investigated -- and that 39% are being ignored.

Is that a big deal? Cisco can help you decide:

It turns out that only 44% of investigated alerts are legitimate, which is second highest in the region, well behind the leader Australia (65%) but is better than both the global benchmark (34%) and on par with the regional standard (44%). This means a full 56% of investigated alerts are false alarms, and a vast amount of valuable work is being done on files that don't need it.

Okay, so what can be done? In a word, automation.

We need a paradigm shift, and that's to have the first round of incident investigation performed by smart software. A lot of investment is going into the use of artificial intelligence for these tasks, specifically machine learning, which can adapt on-the-fly and excels at spotting anomalies. However, the automation doesn't have to use AI and machines learning; even a relatively simple set of heuristics could pick the low hanging fruit.

The industry refers to the triage specialists within a SOC team as Tier 1 staff; when they find something, or can't make a determination, they kick the (potential) incident upstairs to Tier 2 incident responders. Let's call the triage software "Tier 0" -- it skims off the easy-to-decide alerts, and refers the others to those Tier 1 triage specialists. In this way, we can get more complete incident coverage, and the triage specialists handle fewer alerts.

This means less burnout, fewer mistakes and, hopefully, better security.

In addition, automation software can do a better job with those tricky correlations, particularly when it comes to looking at network traffic. The benefit can be greater understanding across the board. As Scott Ferguson writes in the recent Security Now special report on automation:

Instead of tracking every packet that crosses the network, automation allows the machines to keep track of data center traffic and, over time, adjust policy and procedures based on previous data -- the first real signs of machine learning at work within the enterprise. At the same time, automation helps security pros better understand attacks. With the ability to collect more data through the automation of what had been manual processes of data collection, analytics and big data analysis has gotten better at understanding and responding to the current threat landscape.

Verizon advises in its 2018 Data Breach Investigations Report: "Automate anything you can as this reduces the human error associated with many breaches we see."

That's the only way out of this mess. We are in the fire hose era of security alerts, and that's not going to change. There's no way that human investigators can handle that kind of velocity without Tier 0 automation.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.