Three Impediments to Cybersecurity Operations

Photo by Katerina Kerdi on Unsplash
  1. Impeded threat detection. According to Crowdstrike’s 2020 Cyber Front Lines Report, “Average dwell time grew 10 days to 95 in 2019, up from 85 in 2018.” In 95 days, it is highly unlikely an attacker did not produce evidence of their attack tactics. Why aren’t these recognized as a threat indicator leading to earlier detection and circumvention? This is because without observable ground truth linking detected threat indicators it is impossible to quickly and accurately qualify early threat indicators.
  2. Impeded threat investigation. Making connections across attack tactics is a manual exercise. Instead of having immediate access to ground truth related to all threat progression activity, the security analyst must weed through system and application logs from around the same time period of the initial suspected attack. They rely on experience and guesswork to identify and determine from the voluminous audit logs, mostly innocuous and unrelated, which capture anything relevant to the investigation. It’s time consuming work with a high potential for mistakes. This allows an analyst to easily miss the details that connect log activity and previous alerts together. Keep in mind, these individual threat activities may be separated by hours, days, or even weeks and are hiding among uninvolved log activities.
  3. Inability to implement automation. With an extremely high volume of false positives, and an inability to quickly corroborate alerts with ground-truths, analyst teams are unable to immediately trust their alerts. If you can’t trust the alert, you can’t automate actions triggered by the alert. Instead, most organizations only automate gathering additional contextual information to help the analyst. Knowing the external IP’s reputation, the user’s identity, and the host’s services helps to prioritize the investigation, but it does not help to quickly understand the threat’s scope or root cause. Security analysts still perform these most difficult aspects of the threat investigation manually.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Seth Goldhammer

Seth Goldhammer

20+ years in cybersecurity bringing products to market at TippingPoint, HP, and LogRhythm. Currently VP of Marketing @SpyderbatInc.