Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/18/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Your People Can't Secure Your Network? Try Tier 0 Automation

Keeping up with modern security requirements requires a multi-prong approach. One way to ensure that threats are being met is to ignore the false alerts. This is where Tier 0 automation comes in.

Security alerts don't come in a slow, steady drip-drip-drip.

Instead, as any triage specialist will tell you, it's a fire hose of warnings. Dashboards show a non-stop barrage of yellow lights indicating warnings, punctuated with a few more urgent red lights.

An increasing quantity of alerts -- can we call it an increasing velocity? -- has several implications:

  • A greater number of alerts should be investigated by Tier 1 InfoSec staff -- the ones usually charged with doing triage.
  • Because there's a lack of qualified staff (and because there's high turnover, and replacements are expensive to hire and train), that means more alerts per employee.
  • Since each employee is handling more alerts, there's greater opportunity to waste time investigating a false positive, or to miss an incident.
  • Also due to overload, staff might be tempted to take shortcuts and skip some investigations.
  • And because attacks can be slow moving and cross multiple silos, the fire hose might stop staff from making some correlations -- and again, missing an incident.

This isn't hypothetical. To quote from the newly released Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 17% of defenders in India reported 250,000 to 500,000 alerts per day. Of those, the study shows that only 61% of alerts are investigated -- and that 39% are being ignored.

(Source: iStock)
(Source: iStock)

Is that a big deal? Cisco can help you decide:

It turns out that only 44% of investigated alerts are legitimate, which is second highest in the region, well behind the leader Australia (65%) but is better than both the global benchmark (34%) and on par with the regional standard (44%). This means a full 56% of investigated alerts are false alarms, and a vast amount of valuable work is being done on files that don't need it.

Okay, so what can be done? In a word, automation.

We need a paradigm shift, and that's to have the first round of incident investigation performed by smart software. A lot of investment is going into the use of artificial intelligence for these tasks, specifically machine learning, which can adapt on-the-fly and excels at spotting anomalies. However, the automation doesn't have to use AI and machines learning; even a relatively simple set of heuristics could pick the low hanging fruit.

The industry refers to the triage specialists within a SOC team as Tier 1 staff; when they find something, or can't make a determination, they kick the (potential) incident upstairs to Tier 2 incident responders. Let's call the triage software "Tier 0" -- it skims off the easy-to-decide alerts, and refers the others to those Tier 1 triage specialists. In this way, we can get more complete incident coverage, and the triage specialists handle fewer alerts.

This means less burnout, fewer mistakes and, hopefully, better security.

In addition, automation software can do a better job with those tricky correlations, particularly when it comes to looking at network traffic. The benefit can be greater understanding across the board. As Scott Ferguson writes in the recent Security Now special report on automation:

Instead of tracking every packet that crosses the network, automation allows the machines to keep track of data center traffic and, over time, adjust policy and procedures based on previous data -- the first real signs of machine learning at work within the enterprise. At the same time, automation helps security pros better understand attacks. With the ability to collect more data through the automation of what had been manual processes of data collection, analytics and big data analysis has gotten better at understanding and responding to the current threat landscape.

Verizon advises in its 2018 Data Breach Investigations Report: "Automate anything you can as this reduces the human error associated with many breaches we see."

That's the only way out of this mess. We are in the fire hose era of security alerts, and that's not going to change. There's no way that human investigators can handle that kind of velocity without Tier 0 automation.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34760
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the ...
CVE-2021-34789
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user...
CVE-2021-39126
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions ar...
CVE-2021-39127
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
CVE-2021-40121
PUBLISHED: 2021-10-21
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this ad...