Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/14/2017
10:30 AM
Kumar Saurabh
Kumar Saurabh
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What CISOs Need to Know about the Psychology behind Security Analysis

Bandwidth, boredom and cognitive bias are three weak spots that prevent analysts from identifying threats. Here's how to compensate.

Even if you have dozens of point security products, security analysts are still your final line of defense. You tasked them with evaluating the thousands of events your security products generate to determine if something harmful is lurking in your environment. This is a daunting responsibility in the face of expanding data volumes.

To put it into perspective, a recent Ponemon Study shows that in a typical week, an organization may receive 17,000 malware alerts. If the company has three to five dedicated security analysts, each would have to review nearly 3,000 to 5,000 alerts per week.

Analysts, being human, have three weak spots, and they and their managers must be aware of them to avoid missed threats.

Bandwidth
The process of investigating each security alert tends to be boring, but the volume of such events continues to increase at an unprecedented rate. Hiring to keep up isn't a viable option because of skill-set and budget constraints. As a result, analysts are overwhelmed with the number of alerts they must process every day. This fatigue leads to individuals rushing through investigations, with a strong tendency to skip key steps, thus increasing the probability of missed breaches.

Boredom
The nature of security operations (SecOps) is that the system evaluates millions or billions of events each day, and only a tiny percentage are suspect. Of those, analysts review thousands and only a few merit further escalation. Boredom leads to complacency, which leads to low job satisfaction, contributing to lower performance and higher attrition. The key is to automate much of the routine workflow, so that you keep analysts focused on investigating real problems.

Cognitive Biases
The third weakness is micro in nature: the cognitive biases that all humans struggle with in making diagnoses and prescribing solutions. Cognitive bias is an area of study that often arises in the context of financial trading and medical diagnosing. It is relevant in the area of cybersecurity because it has implications in terms of not only how many evaluations can be made per time, but also of the quality of those evaluations. Security analysts face the following cognitive biases:

  1. Anchoring is the tendency to rely too heavily, or "anchor," on one trait or piece of information when making decisions (usually the first piece of information acquired on a subject). It's not uncommon for SecOps teams to inadvertently have a narrow focus on daily activities. Hence, they may miss intrusions because they anchored on the likely source of a given pattern in the data and didn’t consider every alternative.

  2. Availability heuristics refers to the tendency to overestimate the likelihood of events with greater "availability" in memory, which can be influenced by how recent the memories are or how unusual or emotionally charged they may be. One of the issues we return to often is that there is so much data to evaluate that a holistic view of the threat landscape is impossible for a single person to hold in his or her head. Another issue is that analysts will make inferences about the entirety of the data set based only on the events they've reviewed.

  3. Confirmation bias is the tendency to search for, interpret, focus on, and remember information in a way that confirms one's preconceptions. An example of this is in the most boring data set anyone could imagine: VPC Flow logs. I recently challenged one of our teams to find intrusion patterns in a data set of VPC logs and immediately got the response, "Of course there won’t be anything in there — there never is." When we looked, we found some servers that were wide open to public scanning, as well as some other problems. It’s critical to always check and check again. 

  4. Clustering illusion is the tendency to overestimate the importance of small runs, streaks, or clusters in large samples of random data (that is, seeing phantom patterns). It's hard to get people to think in terms of statistical significance, even with the aid of powerful tools. So it's not surprising when SecOps teams become convinced there is something there when there isn't. Other biases lead to false negatives, while the clustering illusion leads to false positives.

  5. Inattentional blindness is the failure to notice something in plain sight because of cognitive overload. For security analysts, the excessive stimulus is the volume of data to sift through. During the alert triage process, there is a tendency to rely on mental shortcuts that effectively cause analysts to miss obvious critical signals. 

Overcoming Boredom, Bandwidth, & Biases
Here are some items every SecOps leader should consider to mitigate the tendencies above:

  • Make jobs more interesting by assigning meaningful projects that go beyond the routine — for example, researching and implementing a new solution. Empower analysts with greater decision-making authority.
  • Assign each analyst an area of expertise, such as the Web, networking, etc., with collaboration across analysts during investigations. This mitigates the "availability heuristic" because no one analyst feels the need to be an expert across all systems.
  • Free up bandwidth by automating every process that can be automated. This doesn't mean replacing analysts but, rather, empowering them to do more of what they do best while automating areas in need of support.
  • Create regular open forums with internal and external teams, as well as peer reviews, to discuss actions and results, what worked, and what didn’t. This helps avoid several biases, including confirmation bias and inattentional blindness.
  • Have junior analysts shadow senior analysts for a few hours a week to grow expertise and contextual awareness, as well as to avoid the clustering illusion.

 

Kumar Saurabh is the CEO and co-founder of security intelligence automation platform LogicHub. Kumar has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic, which he left to co-found LogicHub. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mariasalvy
50%
50%
Mariasalvy,
User Rank: Apprentice
9/1/2017 | 4:58:45 AM
Good article
Make the link between psychology and analytics is a good thing, it can explain more easly some behaves of your cutomers ! 
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.