There’s a fundamental problem with security tools in the market today: they detect and judge events in isolation. The tools send out alerts assuming humans or a centralized system will rationalize the information so that incident responders know which alerts to chase down first.
However, that assumption is incorrect. In most cases, even when there is a centralized system for collection (like a SIEM), the tools still lack the data and analytics to provide prioritization based on the complete picture. They create an endless mountain of alerts that responders then sift through, hoping that they chase down the important ones, yet find out after it’s too late that they wasted their time.
While they were investigating what they thought was a high severity alert, which was in fact low in severity, they left the true threat untouched and able to attack the organization’s valuable assets.
We have seen this happen in the string of retail breaches during the past several years. The alerts were there, sitting among the thousands of other alerts but due to a lack of context and an abundance of noise, they were missed. No matter the size of the security team, they could not connect the dots and cherry pick the important alerts quickly enough. Forensic investigators saw this in the evidence after the breaches occurred and when they retraced the criminals’ steps, they saw the alerts were buried among the junk.
Therein lies the fundamental problem. Responders receive alerts generated by tools without any other context so they don’t see a full story. Individual high severity alerts may not be important, but it’s impossible to know without context.
Low severity alerts may be important when viewed in the context of other activities or in the context of the value of the asset at risk. Yet if individual events were weaved in with other data, such as whether or not the event affected a valuable asset and if the person who accessed the valuable asset had a business purpose to do so, responders would know immediately whether the event is indeed urgent and needed to be investigated immediately.
For that process to be most effective, line-of-business application owners who are not part of the security team and govern highly valuable corporate assets, must participate. They are the gatekeepers to the context responders required to determine the true high severity events. There needs to be a feedback loop where application owners can provide input to the process, informing responders of whether there is a business purpose to a user’s actions.
When responders trust what individual security tools tell them at face value, they oftentimes end up chasing fires that don’t exist. Businesses as a whole need to re-architect how they collect, analyze, prioritize and communicate alerts which entail both behavioral analysis and business context. They should look at the threats being sent by their security tools, put those threats into context based on the value of the asset at risk and if there’s an associated vulnerability, run through a behavioral analysis to determine if the behavior was indeed abnormal.
Only then, and based on the outcome of that process, they prioritize the high severity alerts to incident responders, giving them a high quality list of events that need immediate investigation.
Companies need to break the status quo of depending on each security tool to tell them the whole story. Since the tools collect and label events in isolation and do not bring in any other context besides the threat at hand, they miss the bigger picture to determine their true severity.
Individual detection tools alone do not show a pattern of what individuals typically do or do not do, nor do they show the business context of why an event happened and if it was related to a highly valuable asset. As a result, responders spend countless hours chasing down what are really normal business activities while the true criminal events slip through the cracks.