By Henry Bureau, Research Analyst at Countercept by MWR InfoSecurity
As the turn of a new year approaches, so too does the time for gym managers to rub their hands together with glee, watching streams of well-intentioned patrons pour in with wallets in hand, ready to embark on their fitness journey – I did this last year, they say to themselves, but 2017 is the year. We’ve all been there; the feeling of satisfaction for finally getting around to it, feeling fitter and stronger already, we may even have done some research on the routine we want. Those completely new to it may realise that there is much to learn, and so enlist the help of trainers to show them the long and difficult road to fitness.
We frequently see this same mindset cropping up when it comes to businesses taking the plunge on an investment into their security capabilities. Just as the enthusiasm and excitement of the January gym rush can quickly disappear, contracts for security provisions like SIEM (security information and event management) can follow a similar timeframe.
On day one, I step into the gym following a year of gluttony: I’ve finally put my first footsteps on the road to fitness nirvana, and the coming months may present new challenges, but now I’m equipped to tackle them. With a personal trainer, I can learn and shortcut the pitfalls that those poor, uninformed sloths suffer from. The buyer’s (and runner’s) high is still on at this point.
On the security side, the ink is drying on the contract, and applications are rolling out on the estate. IT managers feel happy that they’ve addressed the security issues facing the company, and any suspicious activity will be logged and investigated.
Over at the gym, I walk into a hall of gleaming machines, brightly coloured mats and foam rollers, treadmills and rowing machines. This is the SIEM: these slick tools can all be used to exercise, and they work – but not without the knowledge counterpart, and not without hard work.
The constant feed of data from a SIEM will flag up false positives, sparking an endless chase of suspicious looking data, like selecting the next exercise machine at random and giving it your all. It works, but how can it be measured? How do I know I’m getting anywhere? That feeling of ‘being on top of security’ is still there, because the SIEM is working, and pushing out reports. At this point it feels like a challenge, but not by any stretch insurmountable.
Fatigue sets in
By day two at the gym though, I’m already fatigued. Feeling tired and sore from yesterday, with the prospect of another long day, will I drag myself out of bed early to do some more work? Compare this with the constant outpour of information from a SIEM, with which dealing becomes an all-consuming, exhausting affair. By the time I’m halfway through the previous night’s alerts, I’m drained, so picking up on that one piece of targeted malware is all the more difficult.
This is an issue facing security analysts worldwide; retaining an experienced and effective workforce in this environment is difficult when the work is repetitive, and throws up so many false positives that it becomes draining and eventually unsustainable. Like the New Year’s resolution-ers, many of these will eventually quit to go elsewhere, feeling exhausted, unstimulated, and without a metric to measure success or progress.
Fast forward to the end of the year, and my contract, I have long stopped using it. Without knowing exactly the problem I was trying to fix, a gym session becomes an exercise in shooting from the hip, picking workouts at random, using different machines, and as a result being unable to measure any progress. ‘Fitness’, like ‘security’, is a vague and nebulous term and equally hard to grasp if not prepared. Without knowing if I am making progress, why continue?
Beating the burn
When it comes to security, it is possible to observe trends and patterns over an extended period, but this is something more effectively delegated to statistical analysis. This is where the log aggregation solution comes in: think of the ability to collate all of the workout routines of every member of one’s gym over the previous year, measure their effectiveness, results, and identify issues both past and future. Those problems which do not map against known previous issues can then be resolved by dedicated trainers, freed from the boring daily grind of helping New Year’s resolution-ers with the same program day in, day out.
This is precisely the advantage of Managed Detection and Response (MDR), which take comprehensive and contextual data outputs, filtering them so that only those which require analyst attention are flagged for further inspection. Analysts can thus use time which would otherwise be occupied researching the same incidents over and again to respond to those which are truly unique and highly suspicious.
This approach is much more focused on achieving results than compliance, and consequently is a specific, tailored security methodology. The fitness analogy would be taking a glossy magazine routine instead of using the experience of dedicated trainers with proven knowledge and expertise.
The objective of good security policy should always be the protection of pre-defined assets from quantifiable and understood threats, which by nature requires in depth knowledge. As a result, we have something of a catch-22 – to have good security practice, one needs experience, but in order to gain experience, one needs to understand good security practice.
This is the concept behind MDR – to use the knowledge of those experienced in the attacker mindset to find advanced and capable individuals or groups. A person with this knowledge is inherently better placed to recognise the actions suggesting advanced threats, because they themselves would take them. Think of the way an athlete would identify issues in their training regime, well before the problems would become apparent to a newbie.
In a year’s time, the most dedicated will still be attending the local gym frequently. Others, this writer included, likely will not. It is well known that having a gym buddy increases your chances of consistent attendance – so what if your gym buddy was a professional athlete? This is the benefit of a managed solution; security of enterprise networks is fundamentally the responsibility of the business, but why not take advantage of the expertise of professional threat hunters, who, like athletes, have cutting edge knowledge at their disposal?