Open Systems SASE

Our future-proof SASE platform as a service, with 24×7 support, allows you to enable network simplicity, intelligent security, and performance.

 

Featured Resource

SASE: The Network of the
Future Is Here Today

View eBook

 

Resources

Find the latest customer stories, solution briefs, white papers, videos, events, webinars and third-party research about SASE.

 

Featured Resource

Gartner Market Guide for Managed Detection and Response Services, 2020

View Report

 

We're All About Partnership

We’re uncompromising in the pursuit of growth, and we’re proud of the network and the people that make our growth possible.

 

Featured Partner

Accelerate your Journey to
the Microsoft Cloud

View Partnership

 

Open Systems

Open Systems is the preeminent cybersecurity and connectivity provider for the enterprise cloud.

 

A Great Place to Work

Good Employer Badges

Come Join Us!

View Open Positions

Jeff Brown | November 20, 2020

So Many Alerts, So Few Insights: Moving The Focus To Awareness And Response

You’re under assault. Despite your best efforts — and significant investments in point solutions — to protect your organization from cyberthreats, the hits just keep on coming.

The kicker is that many environments that are hacked were considered secure. Recent research from Sophos indicates 91% of enterprises that have been breached were running up-to-date security stacks. An impenetrable perimeter would be ideal, but it’s just not always feasible.

The bottom line is that you can expect to be breached. If you are, you’ll want to know it. More importantly, you’ll want to respond to the breach before it spins out of control.

That’s not an easy thing to do, especially when you have a small cybersecurity operation or have to address security as a one-person show. This leaves you behind the eight ball, knowing you’re vulnerable yet lacking the control you need to protect your organization. But with the right solutions and best practices, it is possible to both identify and act to isolate cyberattacks.

Use A Broader Dataset

Current thinking is that cybersecurity starts with understanding if you’ve been breached. Organizations commonly work to understand if they’ve been breached by looking for anomalous behavior using security information and event management (SIEM) solutions. But many organizations don’t send all relevant sources of information to the SIEM.

That limits their accuracy in identifying events that do or do not require attention. Supplement the security-related log data in your SIEM with information that contextualizes your alerts, such as authentication logs, flow-related metadata and a rich set of threat intelligence. Combining this information with the right analytics rules can help you identify advanced threats that may have bypassed existing security controls.

Also consider using an endpoint detection and response (EDR) solution in addition to endpoint antivirus protection. (Full disclosure: My company offers EDR and MDR solutions.) That way, your security operations center (SOC) can do further analysis of alerts generated by endpoints that connect to the network. This is valuable because 2019 research from Absolute (via Security) indicates that 70% of breaches start at the endpoints.

Pair The Power Of AI And People

This points to another challenge with SIEMs: They generate lots of alerts that don’t necessarily make sense and can’t be automatically sorted. The cybersecurity marketplace attempted to address this with security orchestration, automation and response (SOAR). But SOAR solutions don’t fully address the problem either because you often don’t get the right outcomes based on the complexity of the orchestration required to respond to some threats. Also, SOAR can be difficult to integrate with disparate commercial solutions that don’t offer a rich API set or require escalated privileges to modify the configuration.

This realization gave rise to SOCs. These make some sense because alerts require a human eye. But there’s a challenge here as well. Using humans to track alerts is extremely costly and doesn’t always scale. Sixty percent of SOC analysts surveyed by Fidelis (via TechRepublic) in 2018 said they can investigate only seven to eight alerts per day, and just 10% said they could check into eight to 10 alerts.

A better approach is to use the power of artificial intelligence (AI) and machine learning (ML) to identify attack patterns by using historical data as a guide and then add the human eye. Rely on security analysts to uncover more nuanced signals of attack.

Leverage Connectivity To Contain Threats

Identifying breaches is not meaningful unless you act on that information. Choose a managed detection and response (MDR) solution that controls the network so it can tell you what’s wrong and begin remediation with pre-approved actions.

The solution should isolate infected devices from the network or block connectivity to email or other applications and network elements. Infections spread quickly, racking up costs, exposing private data, marring reputations and creating headaches. I believe the important measure is not time to detection; it’s time to reaction.

Know What To Look For To Identify The Solutions For You

Seek solutions that use their own detection sensors to monitor potential attack surfaces. Many providers simply collect logs and attempt to make sense of or identify threats from all the data. This approach can be noisy due to the volume of alerts and overall information and a lack of understanding of the underlying systems. As a result, undetected threats or false-positive security incident reports can take significant time to track down. Sensors can provide a “source of truth” for the SOC team. Combine these sensors with other log data to add context and make it easier for defenders to more accurately identify threats.

Choose solutions that offer containment and advice for responding to threats around your specific security concerns. Are you worried about ransomware, account compromises or theft of data? Look for solutions that have experience and containment capabilities in these areas.

Most organizations operate in hybrid environments. Select a solution that considers all potential attack surfaces in your specific hybrid environment.

Now is the time to adopt an active cybersecurity stance so you’re ready when attacks hit. When you move from alerts to insights to action, you can avoid more widespread damage, deliver better experiences, enjoy improved growth potential and become a more resilient organization.

Originally published on Forbes