Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/4/2017
08:35 AM
John Bradshaw
John Bradshaw
News Analysis-Security Now
50%
50%

Too Many Alerts: A Holiday Infosec Horror Story

Too many alerts can be as catastrophic as too few. But how do you manage to get just enough warning messages?

Picture this horror story: An adversary has targeted your organization and commenced a campaign to breach your defenses, establish a foothold and begin to either gather up your proprietary information or encrypt it and hold you hostage until you pay the ransom demand.

If your present security solutions provide any warnings, they will be sent along to the front pane of glass of your Security Operations Center (SOC). Here, it is up to your team of analysts performing triage of the alerts to separate the wheat from the chaff, look at the alert details, and determine whether the alert is telling them something impactful is occurring, or decide it can be ignored.

What could possibly go wrong? Plenty.

Race to the bottom (of the alert pile)
Most organizations utilize a Security Information Event Management (SIEM) solution in their SOC to aggregate, correlate and prioritize alerts presented to the frontline SOC analyst. Initial triage of alerts is generally handled by a Level I analyst -- often the newest, and least experienced members of the team. With network-based IDS often spitting out 40 events per second along with a myriad of other security solutions and operating/application logs feeding into the SIEM, it is a daunting task to keep up with the alerts on the screen.

To further increase the pressure, SOC analysts are usually expected to triage an alert in three minutes or less. Get it right, you live to triage another day; get it wrong, your stock price tumbles, people lose jobs and your company gets a ton of negative press.

High-fidelity alerts
If you knew an alert was a true positive every time it fired, how would that impact your workflows and decision process in handling that particular incident? High-fidelity alerts essentially mean you can trust and act on the information contained within the alert. They also tend to be very low in volume (unless you're having a really bad day).

There are not many solutions out there that can claim zero false positives (and I would be wary of any vendor that does make that claim!); however, let's consider how deception solutions rate when looking at fidelity and alert volume.

Deception and high fidelity
Deception-based solutions utilize decoys and misinformation to divert and delay an adversary giving the SOC / IR teams sufficient time to perform remediation before the adversary can complete his mission. Deception objects are not known to normal end-users and are white-listed against allowed vulnerability and IT Asset Discovery scanning systems in the organization -- so no one should ever touch a deception decoy. Let's consider the possible ways a decoy could be touched:

  • Network misconfiguration -- a scanner was missed in the whitelist or some other misconfiguration causes a system to attempt communications with a decoy
  • Curious insider -- an end-user or system administrator pokes around outside of their normal duties, comes across a decoy and reaches out to see what the system is all about
  • Malicious insider -- an end-user or system administrator is looking to steal information or cause disruption and stumbles across a decoy while looking for the crown jewels
  • External adversary -- an adversary of varying skill level and resources has evaded your prevention layers and is now poking around inside your network

In all four cases, some type of action is required that demands immediate attention. The first two are not malicious in nature and will most likely involve different groups resolving the issue other than the security teams (most likely network operations for the first and human resources for the second). The last two are malicious and require immediate escalation and gathering of additional information to learn the full nature of the attack.

Deception and low volume
Deception is a breach detection solution. By that, I mean that deception is not generally used to detect intrusion attempts or even breach attempts. Deception is a great prevention failure detection solution because it focuses detection capabilities on adversaries and malware that have already successfully bypassed your prevention capabilities.

If we take a typical breach scenario, an adversary will spear-phish an end-user, get them to click on the malicious attachment or link, a payload gets downloaded and/or detonated on the end-user's system and command and control is established between the adversary and the compromised system.

Breach accomplished. The Doomsday Clock starts ticking.

Many security solutions had to fail for this to happen. This first beachhead is not the mission of the adversary, they want your data or to disrupt your operations. They must establish additional beachheads, reach out to application and database servers, map out your organization's assets and determine what are likely targets.

Most intrusion/breach attempts will be blocked by your prevention technologies, you aren't losing sleep over those. It's the ones that get through you need to lose sleep over.

For those, you need endpoint user session, processes and network connections to be correlated and presented completely and quickly so SOC analysts can make the right triage determination. This is where deception solutions step in and present the adversary with inviting targets -- targets that only an adversary should be touching. Working with your SIEM, these high-fidelity alerts can assist in correlation and necessary forensics.

For this reason, deception alerts are few and far between... unless you're having your own Nightmare on Elm Street!

Related posts:

&emdash; John Bradshaw, senior director, solutions engineering at Acalvio Technologies, has more than 25 years of experience in the IT industry focusing on network and system security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...