How the boy who cried wolf had his organisation breached

The cyber landscape has seen a shift from investment in initial protection to a deeper understanding that a holistic approach is needed. Threat detection has become an integral part of every organisation’s cybersecurity posture. However, due to continually evolving conditions, security operations centres (SOCs) — those within the organisation who continually monitor and improve the cybersecurity — are being flooded with alerts. The issue is that many threats are false alarms, which unnecessarily interfere with an organisation’s hunt for real threats.

The expanding cyber landscape

A range of factors has seen the cyber landscape grow, and SOCs are now being forced to protect and expect attacks from all angles. Cyber detection has been flooded with more alerts than ever. A range of factors have contributed to this, including:

• The expanding attack surface: Over the past few years, the attack surface has grown considerably. Amongst traditional IT or campus environments, OT, IoT and IoMT devices now have vulnerabilities that can be exploited. Shifting workplace workstyles mean employee devices are on dispersed networks, and the use of the cloud and SaaS has given more avenues of attack for cybercriminals. Finally, organisations have become increasingly connected to the global supply chain, giving new routes for threats to travel.
• Data is everywhere: The continual development of applications has resulted in data being able to be shared faster than ever, in greater volumes. The cloud, containers and serverless applications all generate a plethora of data that can provide signals of an attack and important context for an investigation. Much of it may be noise, but for security reasons this data needs to be continually considered and managed.
• Rising threats: The threat landscape has evolved significantly in recent years, and the evolution isn’t slowing down. Threat actors have become more sophisticated in their capabilities and weaponry, and cybercriminals are able to launch complex, automated, multi-stage attacks quickly and precisely, which can be scaled rapidly.
   

These contributors have led to a harder playing field for SOCs and organisations to compete in. The greater attack landscape means threats are only going to continue to appear at a greater prevalence, placing more importance on threat detection. However, as more threat detection takes place, it also brings more chance for errors to ensue.

The false positive dilemma

Based on a study of more than 300 SOCs, the average SecOps team deals with about 450 alerts per hour, or 11,000 alerts per day (“The 2020 State of Security Operations”, Forrester Consulting). When this is combined with economic and skill shortage pressures leading to staff and tool constraints, over a quarter of alerts aren’t able to be addressed by SOC teams.

Although many of these alerts are false positives, it leaves the opportunity for threats to exploit organisations undetected, as there is no way of telling which alerts to ignore. This creates an unhealthy balance for SOCs who are wasting time dealing with false positives rather than responding to legitimate attacks.

Furthermore, cybersecurity budgets are typically shared between reactive activities (incident response) and proactive activities (threat hunting, risk exposure and management), so when inefficient time and investment is put towards reacting to false positives, other aspects of cybersecurity become neglected, such as proactive measures and governance, risk and compliance.

Ensuring threat detection doesn’t leave your sheep vulnerable to the wolf

To address the false positive dilemma, SOCs can undertake a range of approaches to their threat detection and response:

• In-house: Organisations can operate their own SOC in-house with a tech stack centred on a traditional security information and event management (SIEM) solution. However, many SIEMs were primarily designed for log storage and search — only later were threat engines bolted on. There is potential for SIEMS to come up empty, so SOCs will have to source rules themselves, which requires teams to have this specialised expertise. Even then, SIEMS can be very noisy with their single-stage learning model that generates too many low-fidelity alerts.
• Outsourcing: Organisations can outsource threat monitoring and detection to a managed security services provider (MSSP) that manages the SOC’s SIEM and sends alerts when a response is required. This also helps overcome the skills shortage problem. But if the MSSP is relying on the company’s traditional SIEM without using a modern extended detection and response (XDR), it will just display the same low-fidelity alerts over to SOCs.
• A combination: Finally, organisations can use a traditional XDR alongside their SIEM. Having a unified console should improve efficiency, but traditional XDRs typically evolved from endpoint detection and response (EDR) solutions. A challenge that may arise is that vendors can often require the organisations to use their tech stack of endpoint, network and cloud security products instead of leveraging internal existing investments. There may also be limited support for third-party data sources to cover OT/ICS, IoMT and other cyber asset types, as well as custom rule creation.
   

Ultimately, as threats continue to grow, organisations need a solution that can address threat detection effectively. A solution that automates detection, investigation, threat hunting and response across all connected assets such IT, OT, IoT and IoMT becomes invaluable for SOCs. As false positives continue to rise, it’s the quality of threat detection that will set apart organisations.

Image credit: iStock.com/sesame