Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/18/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Your People Can't Secure Your Network? Try Tier 0 Automation

Keeping up with modern security requirements requires a multi-prong approach. One way to ensure that threats are being met is to ignore the false alerts. This is where Tier 0 automation comes in.

Security alerts don't come in a slow, steady drip-drip-drip.

Instead, as any triage specialist will tell you, it's a fire hose of warnings. Dashboards show a non-stop barrage of yellow lights indicating warnings, punctuated with a few more urgent red lights.

An increasing quantity of alerts -- can we call it an increasing velocity? -- has several implications:

  • A greater number of alerts should be investigated by Tier 1 InfoSec staff -- the ones usually charged with doing triage.
  • Because there's a lack of qualified staff (and because there's high turnover, and replacements are expensive to hire and train), that means more alerts per employee.
  • Since each employee is handling more alerts, there's greater opportunity to waste time investigating a false positive, or to miss an incident.
  • Also due to overload, staff might be tempted to take shortcuts and skip some investigations.
  • And because attacks can be slow moving and cross multiple silos, the fire hose might stop staff from making some correlations -- and again, missing an incident.

This isn't hypothetical. To quote from the newly released Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 17% of defenders in India reported 250,000 to 500,000 alerts per day. Of those, the study shows that only 61% of alerts are investigated -- and that 39% are being ignored.

Is that a big deal? Cisco can help you decide:

It turns out that only 44% of investigated alerts are legitimate, which is second highest in the region, well behind the leader Australia (65%) but is better than both the global benchmark (34%) and on par with the regional standard (44%). This means a full 56% of investigated alerts are false alarms, and a vast amount of valuable work is being done on files that don't need it.

Okay, so what can be done? In a word, automation.

We need a paradigm shift, and that's to have the first round of incident investigation performed by smart software. A lot of investment is going into the use of artificial intelligence for these tasks, specifically machine learning, which can adapt on-the-fly and excels at spotting anomalies. However, the automation doesn't have to use AI and machines learning; even a relatively simple set of heuristics could pick the low hanging fruit.

The industry refers to the triage specialists within a SOC team as Tier 1 staff; when they find something, or can't make a determination, they kick the (potential) incident upstairs to Tier 2 incident responders. Let's call the triage software "Tier 0" -- it skims off the easy-to-decide alerts, and refers the others to those Tier 1 triage specialists. In this way, we can get more complete incident coverage, and the triage specialists handle fewer alerts.

This means less burnout, fewer mistakes and, hopefully, better security.

In addition, automation software can do a better job with those tricky correlations, particularly when it comes to looking at network traffic. The benefit can be greater understanding across the board. As Scott Ferguson writes in the recent Security Now special report on automation:

Instead of tracking every packet that crosses the network, automation allows the machines to keep track of data center traffic and, over time, adjust policy and procedures based on previous data -- the first real signs of machine learning at work within the enterprise. At the same time, automation helps security pros better understand attacks. With the ability to collect more data through the automation of what had been manual processes of data collection, analytics and big data analysis has gotten better at understanding and responding to the current threat landscape.

Verizon advises in its 2018 Data Breach Investigations Report: "Automate anything you can as this reduces the human error associated with many breaches we see."

That's the only way out of this mess. We are in the fire hose era of security alerts, and that's not going to change. There's no way that human investigators can handle that kind of velocity without Tier 0 automation.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.