Who wants to see personal customer purchasing data flying into the hands of strangers? What company can tolerate the pilfering of its intellectual property by competitors? What government can stand idly by while its military secrets are made public?
To protect their valuable and private information, organizations purchase numerous cyber security systems – like intrusion detection systems, firewalls, and anti-virus software – and deploy them across their networks and on all their computers.
In fact, a typical bank, manufacturer or government department might have dozens of such products operating at all times.
Cyber security systems work non-stop to thwart network infiltration and data-theft. Whenever they notice an activity that seems outside the scope of regular use, they issue an alert to notify cyber security personnel who investigate the reason for the alert and take remedial action if necessary.
For example, if someone tries to access a computer and repeatedly enters the wrong password, an alert will be issued. When an email attachment containing a virus is opened, another alarm will be raised.
Despite all of these security systems and their alerts, strong networks are breached, and the information is stolen. Why does this still happen?
Over-Detection and False Positives
Cyber security systems work by noticing unusual activities and behaviors of people and software. But they often get it wrong. Try as they may, in order to be ultra-careful, cyber security systems flag a lot of activities that they determine to be potentially malicious but, in reality, are not.
Yes, you keyed in your password three times until you got it right, but you aren’t a data pirate. That still causes an alert.
From your office computer, you inadvertently accessed a website that is off-limits to your company. Honest mistake, but another alert.
This happens so frequently that, every day, hundreds or even thousands of alerts turn out to be nothing of note.
Can you believe it? The average enterprise in the US receives more than 10,000 alerts every day. Most of them aren’t incidents that should demand attention. But how do you know until you look into them?
This daily load of false positives distracts cyber security professionals from dealing with legitimate security alerts.
As more and more time is wasted chasing after false positives, security staffs have to resort to triage – that is, they try to figure out which alerts are important and require a response, and which ones are false and should be ignored. They aren't always accurate. Sometimes, an analyst spends weeks tracking down an incident that turns out to be irrelevant.
Conversely, sometimes, the alert that is ignored is the real emergency!
Distracted to Ruin
A good example that shows how false positives can be ruinous to an organization is the Target Data Breach.
Target, the second-largest discount-store retailer in the United States, was forced to admit to more than 70 million shoppers that their personal and financial information had been compromised.
With a large cybersecurity team and a significant budget for tools and technologies that protect data, how could this happen to Target? (Or Ebay? Or JP Morgan Chase? Or Yahoo?)
Target's problem wasn't that some sort of hacker had succeeded in bypassing its robust cyber security systems. In fact, the company's detection systems deployed specifically to monitor such intrusion attempts had generated alerts confirming that malicious software was present. So why wasn't it dealt with?
As these important alerts were buried among thousands of daily false positives, they did not achieve high enough attention to warrant the prompt action that they demanded. They were missed. This simple oversight led to one of the largest and most costly data breaches in history, estimated at more than $300 million!
In short, while detecting cyber threats and alerting security personnel is crucial, it is not nearly enough. Organizations must institute an accurate, real-time alert validation methodology that unfailingly determines which of the thousands of daily alerts deserve attention and which are just "noise."
But the devil is in the details.
Secdo Automates the Incident Response Process End to End
Secdo's Preemptive Incident Response platform automatically validates every single alert, distinguishing between false positives and real threats that deserve serious investigation.
Secdo provides all the context – the "who, what, where, when and how" – to help security analysts determine the severity of a real alert. Then, Secdo empowers security teams to respond quickly and precisely to combat the threat.
The Secdo platform comprises three modules:
- Observer
- Analyzer
- Responder
Observer
According to Secdo, effective cyber security begins with preemptive data collection. Like a battery of digital cameras that see and record everything, Observer records and stores every activity that occurs on every endpoint (computer) and server (we call these "hosts") in the network.Everything on every host, even when they number in the tens of thousands! Observer enables security and IT teams to see how any host, user, or process behaved now or in the past – just like the ability to view any video from any camera now or in the past at the click of a mouse.
Observer enables quick investigations and threat-hunting. It provides facilities for easy ad-hoc inquiries, enabling analysts to investigate any alert and hunt for threats effectively. Security analysts can use the intuitive investigation interface to ask questions about any event and always get a conclusive answer.
For example:
- Who accessed the website www.youshouldnotgothere.ru on January 24th between 13:31 and 15:09?
- Which hosts have file iamarealthreat.exe on their hard drive?
- Which endpoints sent out companyfinancials.xlsx in emails last night?
 |
| Results returned from an Observer inquiry |
Analyzer
Non-stop, Analyzer correlates the mass of data stored by Observer. If Observer is like thousands of digital cameras recording everything, Analyzer is the intelligence that connects all the individual videos into coherent stories that can be reviewed anytime.For example, malicious software from my boss’s computer is trying to send data out to a foreign website, an event that triggers an alert. It sounds like a simple case, but the full story might read like this:
"Yesterday, I received an email from a particular address. I clicked on the attachment, looked at it, and thought about it no more. However, unbeknownst to me, the attachment wrote a bit of malware on my hard drive. Two hours later, it started to search my computer until it found a password file that enabled it to jump to my boss’s computer. There, at midnight, the malware woke up, searched my boss’s hard drive until it found a file called secretcompanyplans.docx. It connected to a website in Ukraine and attempted to send the file. This is what triggered the alert."The security analyst will see the limited information in the alert which says: "The boss’s endpoint attempted to connect to www.ohnodontgothere.ua."
How can the analyst know the entire story of the alert in order to understand that there is an attachment to an email on my computer that started the whole incident?
Merely preventing access to the bad website will not eradicate the danger. Perhaps this piece of malware is so smart that it will wake up again and try some other tricks like sending another file to a different website. That will just trigger another alert and require another security analyst to fix the same problem tomorrow.
The full story is necessary to fix the entire problem once and for all..
Secdo's Analyzer helps analysts get to the root of every problem and understand its full scope so they can remediate it at its root cause.
Analyzer's Causality Engine places all events received from the Observer data into causality chains (the story) in anticipation of alerts, preparing the forensics that will be necessary for any future security investigation.
As alerts are triggered from any source (any of the many cyber security systems that the organization has deployed), Analyzer automatically correlates the alerts with their appropriate causality chains, placing them into their full context. IT and security teams are able to see the chain of events (the entire story) of exactly what happened from this moment backward into the past.
With the full context, Analyzer can accurately distinguish false alerts so that analysts don’t have to endure unnecessary distractions. It accurately priorities and presents each genuine alert, displaying the entire context including the attack chain starting from root cause (how did this incident start?), all entities involved (where has it spread?) and damage assessment (what did the bad guys do to us so far?) – the entire story.
With all this information presented graphically before their very eyes, security analysts can properly analyze real alerts and respond correctly in seconds.
 |
| Analyzer presents a graphic representation of the entire causality chain including root cause |
In our example, Secdo would enable the analyst to see that the malicious attachment on my computer started the entire chain of events, that it jumped to my boss's computer and that both malicious processes must be cleaned as well as other files or commands they might have written and anything else that is pertinent to this incident.
Responder
So, what do you do once you have found an actual cyber breach that requires a firm and accurate response?
Before Secdo, IT personnel usually had to confiscate your computer, wipe it clean and reinstall Windows and all your applications and data files. Everything. This could take hours or even days. What an interruption to your productivity and what a cost to the company!
With Secdo, the process is a lot faster and smarter, and doesn't interfere with your work. Responder gives security and IT people the ability to remotely access and surgically resolve any threat on any host without impacting productivity.
Responder provides numerous powerful containment and remediation capabilities including patented ICEBlock™ that safely freezes a process in memory while the endpoint remains on the network. You can keep working securely while all this takes place.
 |
| Responder enables IT to deal with specific threats on any host without impacting user productivity |
Responder even takes security a step further. Its plentiful and powerful response capabilities can be fully automated adding protection to the organization into the future.
Conclusion
Digital data is an attractive target for cyber attackers who would steal it for nefarious purposes. Organizations employ security analysts and deploy numerous security products to help them defend against cyber attacks.
These products may generate thousands of alerts every day, and most of these are false positives. Due to the overwhelming daily volume, security teams cannot deal with all alerts and must triage them.
Analysts need an automatic, accurate way to separate out the false positives and prioritize the real ones so that they can focus on real threats. They need to see the entire scope of incidents in order to determine the proper course of remediation. They require remote, surgical response tools that enable them to accurately eradicate threats while maintaining business productivity.
Secdo's Preemptive Incident Response (PIR) transforms the traditional IR process from reactive to proactive by continuously collecting and storing all host activity data – BEFORE an incident occurs.
All activity data from all endpoints and servers (hosts) is automatically correlated in causality chains (context) in anticipation of future incidents. As alerts are ingested from detection systems, they are connected with their appropriate causality chains, preparing full forensic evidence even before Incident Response teams get involved.
With full context, false positives can be eliminated accurately, and real alerts can be prioritized correctly. Security analysts can quickly investigate each alert, already observing its root cause, full activity, entities involved and damage assessment.
With this level of visibility and context, accompanied by a suite of advanced surgical remediation tools, analysts can respond remotely, promptly and precisely to threats while maintaining business productivity.
