While many organizations invest large amounts of money and time into threat detection programs, the number of successful malware attacks rises every year. Sanjay Raja, VP of product marketing and solutions at Gurucul, assesses what it is about current threat detection that is causing organizations to fail at proper detection.
In 2021, 61% of organizationsOpens a new window experienced a cybersecurity attack that disrupted their business. This changed to 35% of respondentsOpens a new window blaming cybersecurity issues for disrupting business functions in 2022. While many organizations invest large amounts of money and time into threat detection programs, the number of successful attacks continues to rise every year. Despite some success, most organizations’ threat detection falls short of its potential because vendors rely on outdated rules-based detection, their limitations in data collection to provide context and lack of assessing dynamic risk to prioritize threats.Â
There are multiple phases to incoming attack campaigns (initial compromise, downloading initial payload, reconnaissance and lateral movement, etc.), and each phase can produce its own indicators of compromise. But many threat detection systems don’t provide enough contextual data along with their alerts for organizations to tell if a complete attack campaign is underway or if they’re just looking at a series of unrelated events. This lack of data makes it very difficult for analysts to investigate threats quickly, separate true positives from false positives, and produce accurate alerts.
See More: DevSecOps Accelerates Incident Detection, Response Efforts
Why Do Organizations Fail at Threat Detection?
So, what is it about current threat detection that is causing organizations to fail at proper detection? Here are the three most common reasons I see for this.Â
1. Using rule-based detection rather than true machine learning
Most organizations use threat detection products that utilize static rule-based models. These are essentially flowcharts that check if an incoming attack meets certain characteristics and produces an alert if so. One of the biggest flaws that rule-based detection experiences is the inability to identify new attacks or variants of previous attacks. The vendor must update the product to detect every new attack variant – the product cannot adapt on its own. This can take days, weeks or even months after a new attack is discovered to be updated, in which time the organization is left defenseless.Â
The advancement in machine learning (ML) technology has provided a solution to the problems caused by rule-based systems. True ML technology allows security systems to adapt to variants of attacks and recognize new attacks at a much higher rate than earlier systems. This, in turn, provides more accurate results and reduces the amount of time SOC teams have to spend investigating false flags.
2. Not looking at enough data to provide context to alerts and deploy customized detection and response
Most organizations rely on one cybersecurity detection system, like a SIEM, to report attacks to the SOC teams. But relying on one or two siloed detection systems or set of analytics isn’t going to provide enough data and context to produce accurate security alerts. Without this context, analysts need to spend time researching the event manually across other security systems, which ultimately slows down their response.Â
The less accurately associated contextual information available, the less precise the responses can be and the more disruptive they’ll be to other users and processes. Lack of context also makes it more difficult for the analyst to determine if a full attack campaign is underway.
A solution to this would be to layer or chain identity, and behavioral analytics and/or external threat intelligence feeds on top of basic security analytics. Behavioral analytics measures if a certain behavior is normal or abnormal, which helps identify malicious activity. A security event that involves unusual behavior, high-value user accounts, or matches a known attack campaign chained together to provide better accuracy and validation is more likely to surface an actual attack rather than being a false positive. This process is called cross-validation through model chaining and is one of the best ways to produce accurate and highly contextual alerts that confirm an actual attack.Â
3. Not assessing the risk of certain behaviors
Most vendors don’t link analytics together, which doesn’t allow the model to calculate the total risk of an attack. Calculating risk lets SOC teams prioritize events & make sure they’re investigating and fixing the riskiest ones first. Having the resources to calculate risk and analyze behaviors can be incredibly useful to teams as it suggests which events and alerts are likely to be part of larger attack campaigns and should be addressed immediately.Â
For example, consider a user that has had multiple failed login attempts to a company device or website. How risky is this? That depends on other factors – where are the attempted logins coming from? What resources are they trying to access, and do those resources make sense for their role? Is this normal behavior for this user? Is there any reason for this user to have a grudge against the company? These factors all matter – a marketing employee working from home trying to access some product brochures on SharePoint is much less risky than that same marketing employee’s login being used from a foreign country trying to access a Tier Zero system for the first time. Â
Without this data, SOC teams are left in the dark and have to make an uninformed decision or spend extra time manually researching the alert. A threat detection system that can calculate risk, based on chaining together the various analytical models and providing this information along with the alerts, can improve security significantly without creating more work for the SOC team. Very few SIEMs can do this despite vendor claims. Most of the time, siloed analytics are simply correlated and called “analytics,†which is the weakest form.
Detect Threats before They Become Danger
Creating effective and efficient threat detection is one of the biggest ways to reduce the labor of SOC teams and improve overall organizational security. Doing all of this correctly means organizations are better protected, and their security teams have time to focus on other tasks. However, until legacy systems begin to modernize with machine learning, behavioral analytics and the ability to cross-validate the analytics to surface an actual attack, the true potential of threat detection will continue to be limited.Â
How are you leveraging analytics to upgrade your threat detection processes? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
Image Source: Shutterstock
MORE ON THREAT DETECTION
- Limiting Ransomware Threat with Closer Networking-Security Collaboration
- How Vulnerabilities in Kubernetes Are Potential Attack Vectors
- Intrusion Detection System vs. Intrusion Prevention System: Key Differences and Similarities
Â