A couple of weeks ago we discussed the process several security operations teams go through to ultimately separate the network signal from the noise. We reviewed the steps that McAfee technologies have undertaken in designing its Fusion Centers of Security to identify the network signals in our own operating environment. Getting right the basics of security operations, understanding our security architecture, and carefully assessing many priorities and risk are all vital to honing in on the network signals.
But what if even the network signals can overwhelm? How do we get security operations out of the slow lane? How do we generally get to the intelligence — the insights — that lead to final decisions?
A study of 500 CISOs from large enterprises across the UK, USA, and Germany, published by Bromium in the month of February, found that the average security operations center (SOC) that are enterprise-sized, receives 4,146 alerts, each and every single day. Now more than 70 percent of those – about 2,900 – are actually false positives. But that actually leaves more than 1,200 alerts to investigate on a regular basis. Additionally, from our internal view, we believe that 95% of network signals are false positives.
What is required is a way to narrow the lens focus and aperture on the critical data set that generates accurate network signals that are demanding various decisions now. As we seem to do quite repeatedly, the industry of cybersecurity takes its cue from the military, which has tackled this issue before.
This particular chart, published by the U.S. Joint Chiefs of Staff in the year of 2013, describes the entire process by which data is collected from the operating environment and is then distributed and processed in a consumable manner as data and information. That data and information are then analyzed in the context of other potentially related information and presented as intelligence. Intelligence, by design, is actually an insight that may be acted upon.
In the field of cybersecurity, the processing and collection actions are typically automated through several tools like SIEM correlation engines, event receivers, and endpoint detection and various response (EDR) systems. The analysis phase, however, has been nearly exclusively the expert domain of human analysts, because data is often lacking or incomplete context.
How to get these partial data and information sets to paint the full picture is the trick. We are often dealing with data that is quite dirty. Complexity is compounded when partial data sets are used to make decisions of a complex security. Doing the data wrangling to tell a story that predicts or estimates an outcome has been, until very recently, too much complex for machines to manage.
Complexity is generally simplified when the complete picture and data set are being captured. This is the toughest task in machine learning as we often capture data that cannot be used, data that is quite valuable but not used, and data that is used just partially.
Painting the entire picture by identifying relevant clues and patterns from previous analysis is a complex process which consists of a reinforcing loop of information and education. Learning to spot the most relevant signal needs a teacher and an apt pupil. We will have a look at that team in our next blog or article.
McAfee technologies benefits and features depend on system configuration and may need enabled software, hardware, or service activation. You can learn more at McAfee.com/Activate. No computer system can be absolutely safe and secure.
Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games,internet and new media. He writes for mcafee products at mcafee.com/activate or www.mcafee.com/activate.