By Gavin Hill, Vice President, Datacenter and Network Security Products, Bitdefender
The effectiveness of security incident investigation and resolution is key to the effectiveness of all defense efforts. But improving incident investigation and resolution does not come without challenges. The reality is there are too many alerts to handle combined with poor correlation between alerts.
However, an emerging category of Network Traffic Analytics (NTA) tools can address these challenges and accelerate incident investigation and resolution. But let’s understand the challenges first.
Improving the quality of security alerts
Although an excess of alerts is among the most important challenges Security Analysts and Security Operating Centers (SOCs) face, only 54 percent of respondents in the 2018 Security Operations Center Survey by SANS Analyst Program collected SOC metrics. Organizations missing SOC KPIs have trouble adjusting their skill level, processes, and tools to ensure proper handling of all security incidents.
How many security incidents are too many to handle? This varies from organization to organization, but the outcome of alert fatigue seems to be the same: roughly 30 percent of alerts globally are simply ignored. Analysts suffer from alert fatigue due to a staggering volume, with organizations reporting anywhere from 10,000 to 1 million a day. The sheer volume of alerts is often fueled by issues of quality or relevance that come because of limited context, alert redundancy, an increase in false-positives and alert delivery issues.
What can be done? The quest to increase the efficiency and effectiveness of incident investigations must start by improving the quality and relevance of alerts and reducing their number. Most devices in the environment, from end-user devices to servers, switches, routers or firewalls, generate some sort of alerts. But which ones should take priority? Which ones, if ignored or not investigated promptly, pose the highest risk?
In a recent blog post on RSA 2019, ESG senior analyst Jon Oltsik said, “ESG research indicates that network security monitoring is most often the center of gravity for threat detection. In other words, SOC analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation … CISOs can get a big bang for their buck by implementing one of the more modern networks security monitoring/analytics tools.”
Enter Network Traffic Analytics solutions. Alerts generated by these tools are more relevant than alerts generated by other security layers. This is because they can provide complete visibility across infrastructure, including detailed explanations for incident severity scores, and smart alert triage that enables analysts to focus on the true incidents. Another key element is the contextual information which offers guidance for effectively containing the threat and limiting the damage.
But does that mean other alerts to be ignored? Absolutely not. However, using NTA as the sentinel of your organization reduces analyst workload and improves the effectiveness of the incident investigation. It will not completely eliminate the problem of alert overload, but choosing a more reliable signal source can help overcome the challenge of noise.
Better alert correlation
Only 30 percent of organizations rely on fully automated or mostly automated alert correlation. The other 70 percent are manually triaged. Amid the current severe shortage of skilled cybersecurity industry workers, this situation is untenable.
The good news is there are multiple approaches to the alert triage problem, including efforts from Security Information and Events Management (SIEM) and Security Orchestration Automation and Response (SOAR) tools (). The difference between NTA and these technologies is that while a SIEM solution ingests loads of alerts and tries to make sense of them, NTA solutions work with the initial source: the network traffic. By directly analyzing network traffic and correlating dozens or hundreds of events from the environment, NTAs can generate a crisp, complete picture of each security incident.
Benefits of NTA Solutions
In addition to full visibility, improved security with NTA solutions can be achieved because the reasoning capabilities such as machine learning, and behavioral analytics generate threat intelligence that can be applied to network traffic meta-data in real time. These capabilities allow for the detection of advanced attacks, including malicious, fraudulent or risky user behavior that can lead to breaches or data leaks, helping to limit the risks of sensitive data exfiltration. Fueling automated and highly accurate alert triage, NTA solutions enable incident response teams to focus their attention on relevant security incidents. Identifying behavior that represents policy violations while also recording traffic meta-data for extended periods of time, enables NTA tools to be an integral element in maintaining compliance.
NTA solutions pick up the signal other tools may miss, particularly when it comes to advanced attacks, by providing complete visibility and insights into threat related network activity across an entire infrastructure. Moreover, by automating alert triage they have the power to increase the efficiency of incident response efforts and more easily ensure compliance.
The Definition of SOC-cess? SANS 2018 Security Operations Center Survey, by Christopher Crowley and John Pescatore – August 13, 2018
About the Author
Gavin Hill is the Vice President, Datacenter and Network Security Products, Bitdefender. Gavin has an excellent track record in product development and marketing in the cybersecurity space in delivering first-to-market solutions that drive revenue acceleration. He has more than 20 year’s industry experience in product management and marketing. At Bitdefender, Gavin is responsible for leading global product management and product marketing for the data center and networking security lines of business. Before joining Bitdefender, Gavin served on the executive leadership team at Bromium where he was responsible for product strategy and go-to-market including all marketing aspects as the acting CMO. Gavin holds a Bachelor of Science in Computer Science and an MBA in Marketing and Strategic Management from Western Governors University.
Gavin can be reached online at https://www.linkedin.com/in/gavinhill1/ and at our company website https://www.bitdefender.com/