These days, nearly every security leader is seeking ways to improve her team’s threat detection capabilities. According to the RSA Threat Detection Effectiveness Survey, 75 percent of respondents are unsatisfied with their organization’s ability to detect and investigate threats.
Security teams can pursue any number of strategies aimed at helping them detect threats faster, from participating in information sharing and analysis centers (ISACs) to leveraging the latest machine learning technologies. But if you’re looking for some advice you can implement reasonably quickly, keep these two simple principles in mind:
1. Alert fatigue is a frequently-overlooked enemy.
2. There’s usually more to an incident than meets the eye.
Alert Fatigue: A Frequently-Overlooked Enemy
It’s really hard to detect the threats that matter most when your threat hunters and security analysts are suffering from alert fatigue and cognitive overload. Threat actors know your team is burdened, and they take advantage of this fact. So if you want to improve your team’s threat detection capabilities, you’ve got to address alert fatigue. But how?
Context is key to prioritizing alerts and preventing analyst burnout. When an analyst receives an alert, he should be able to immediately tell, for example, what systems, data or individuals may be affected and their level of criticality or sensitivity to the business. By ranking assets in this manner and by grouping them in different categories (such as domain controllers, intellectual property and executive email accounts), you can help prioritize alerts and focus analysts.
There’s Usually More to an Incident than Meets the Eye
Threat actors frequently use deception tactics to evade detection and compound the impact of their attacks. It’s like they’ve taken a page from Sun Tzu’s famous military treatise, The Art of War:
All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.
In practical terms, attackers may launch a distributed denial of service (DDoS) attack on a company in order to distract security staff while they move on to their larger goal of stealing data. This kind of scenario has played out repeatedly over the years, yet many security teams continue to fall for it.
The moral? When you detect an incident, realize it may be part of a larger attack campaign. Then, to the extent you can with the resources you have, assign some of your resources to investigating and remediating the incident at hand, while keeping others on continuous threat monitoring duty. In this manner, you’ll avoid putting all your resources on one activity, and you’ll be in a better position to understand the full scope of an attack.