What does this alert mean? Why is it important? What should I do? Our main takeaway from Infosec London 2016 – cyber security professionals are overloaded with information. And what they really want and need is answers.
In the panel discussions, leading CISO’s explained the difficulty they experience in assessing their current security posture. Despite (or perhaps because of) the many reports and dashboards available, it’s a challenge to obtain a holistic picture of the current situation. Clearly this has serious implications for security – but it’s also an organizational problem. CISO’s are finding it difficult to communicate the risks and their significance for the business. That translates to a difficulty in justifying budget and the need for additional security investments. CISO’s are actively looking beyond SIEM for solutions that will provide situational awareness of the digital environment – a near real-time view of their security posture and the risk to critical assets. And they are looking for ways to measure the performance of their security solutions to determine whether they deliver a true return on investment.
At the same time, security analysts continue to suffer from alert fatigue and an inability to keep up with the amount of investigation required. They are looking at ways to orchestrate and automate investigation and response processes to improve efficiency. Yet there is a general consensus that there are limits to rule-based automation. Just as SIEM rules ultimately fail because they cannot adapt to inevitable changes in the environment, automated playbooks are inherently limited to whatever use cases we can think up. So any truly effective solution must go beyond mechanical approaches to automation and combine the intelligence of man with the efficiency of a machine.
Distill Breach Intelligence from Data by Automating Investigations
In our presentation at the Cyber Innovation Showcase, Fighting Alert Fatigue with Automated Investigations, we talked about how organizations can shift the focus from chasing alerts to halting breaches through an intelligence-driven approach to breach detection. Verint has over 20 years of experience in Actionable Intelligence (in fact, we coined the term!) and a few years ago, we set out to apply that perspective to cyber security. We realized that the key to identifying breaches today is the investigation process. A human analyst puts together a group of alerts from different systems that appear to be related; seeks forensic evidence to support or refute those leads; and ultimately chooses a course of action. Needless to say all of the reporting is done by the analyst as well!
This process, which is at the heart of turning “alerts” into “incidents,” takes a great deal of time, expertise and intelligence. Automating it would have the greatest impact on the way security teams work today. So that’s the problem we set out to solve.
The 5 Key Steps to Automating Investigations
Our presentation at Infosec featured the 5 key principles of an automated investigation:
1. Think like a human investigator
As I mentioned earlier, an analyst goes through an iterative process to investigate an incident, starting with gathering evidence, extracting leads, building a theory, checking it with more evidence, etc. An effective automated investigation needs to simulate that kind of intelligence which gleans insights from multiple sources, rather than simply playing back a set of rules.
2. Combine the best of man and machine
No matter how well we automate, a machine will never have the intuition of a human. The trick is to automate as much as possible, and to know exactly when to bring in the human being in for consultation. And after that consultation, to improve the performance of the machine, in a continuous cycle.
3. Collect the right information
To detect complex threats, you need a broad and deep picture of the security situation. That means detecting across the attack chain and throughout the organization. Just as important, different sensors need to interact with each other to make sense of their findings – just like a human would do. Without that cross-referencing, every anomaly is just another alert.
4. Transform alerts into actionable intelligence
To automatically turn many leads and forensic evidence into actionable intelligence, you need the right data model and the right means of visualization. The information becomes actionable when analysts can instantly understand context, relationships, and next steps.
5. Blend detection with proactive forensics
Most of the time, detection follows forensics. Forensics tools tend to be very difficult to use, so they often wait on the sidelines until an expert is available. Through automation, we can collect forensics data to confirm or deny every single alert (lead) that is collected, in a proactive and continuous manner. The forensic data should be presented visually as part of a complete incident storyline, which can be easily understood by an analyst at any tier.
Give it a try!
The advantages of automating incident investigation to create actionable intelligence are clear – threats are detected earlier, there’s no more alert fatigue, and the process is far simpler. This approach also gives CISOs the real-time unified perspective on the current risks to critical assets, so they can prioritize resources and budgets.
You can view our Infosec presentation on the conference web site and of course I welcome your questions and comments.