Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
10/18/2018
08:05 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick

Your People Can't Secure Your Network? Try Tier 0 Automation

Keeping up with modern security requirements requires a multi-prong approach. One way to ensure that threats are being met is to ignore the false alerts. This is where Tier 0 automation comes in.

Security alerts don't come in a slow, steady drip-drip-drip.

Instead, as any triage specialist will tell you, it's a fire hose of warnings. Dashboards show a non-stop barrage of yellow lights indicating warnings, punctuated with a few more urgent red lights.

An increasing quantity of alerts -- can we call it an increasing velocity? -- has several implications:

  • A greater number of alerts should be investigated by Tier 1 InfoSec staff -- the ones usually charged with doing triage.
  • Because there's a lack of qualified staff (and because there's high turnover, and replacements are expensive to hire and train), that means more alerts per employee.
  • Since each employee is handling more alerts, there's greater opportunity to waste time investigating a false positive, or to miss an incident.
  • Also due to overload, staff might be tempted to take shortcuts and skip some investigations.
  • And because attacks can be slow moving and cross multiple silos, the fire hose might stop staff from making some correlations -- and again, missing an incident.

This isn't hypothetical. To quote from the newly released Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 17% of defenders in India reported 250,000 to 500,000 alerts per day. Of those, the study shows that only 61% of alerts are investigated -- and that 39% are being ignored.

(Source: iStock)
(Source: iStock)

Is that a big deal? Cisco can help you decide:

It turns out that only 44% of investigated alerts are legitimate, which is second highest in the region, well behind the leader Australia (65%) but is better than both the global benchmark (34%) and on par with the regional standard (44%). This means a full 56% of investigated alerts are false alarms, and a vast amount of valuable work is being done on files that don't need it.

Okay, so what can be done? In a word, automation.

We need a paradigm shift, and that's to have the first round of incident investigation performed by smart software. A lot of investment is going into the use of artificial intelligence for these tasks, specifically machine learning, which can adapt on-the-fly and excels at spotting anomalies. However, the automation doesn't have to use AI and machines learning; even a relatively simple set of heuristics could pick the low hanging fruit.

The industry refers to the triage specialists within a SOC team as Tier 1 staff; when they find something, or can't make a determination, they kick the (potential) incident upstairs to Tier 2 incident responders. Let's call the triage software "Tier 0" -- it skims off the easy-to-decide alerts, and refers the others to those Tier 1 triage specialists. In this way, we can get more complete incident coverage, and the triage specialists handle fewer alerts.

This means less burnout, fewer mistakes and, hopefully, better security.

In addition, automation software can do a better job with those tricky correlations, particularly when it comes to looking at network traffic. The benefit can be greater understanding across the board. As Scott Ferguson writes in the recent Security Now special report on automation:

Instead of tracking every packet that crosses the network, automation allows the machines to keep track of data center traffic and, over time, adjust policy and procedures based on previous data -- the first real signs of machine learning at work within the enterprise. At the same time, automation helps security pros better understand attacks. With the ability to collect more data through the automation of what had been manual processes of data collection, analytics and big data analysis has gotten better at understanding and responding to the current threat landscape.

Verizon advises in its 2018 Data Breach Investigations Report: "Automate anything you can as this reduces the human error associated with many breaches we see."

That's the only way out of this mess. We are in the fire hose era of security alerts, and that's not going to change. There's no way that human investigators can handle that kind of velocity without Tier 0 automation.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...