Reducing the noise in your cybersecurity operation
What is the true cost of creating a robust cybersecurity defense for your organization? As cyberattacks accelerate around the world, organizations will continue to spend more money on security tools and services to shore up defenses. According to Cybersecurity Ventures, global cybersecurity spending overall will exceed $1.75 trillion from 2021-2025, anticipating a 15 percent year-over-year growth.
With the steady increase of budgets and IT spend, there is no denying the importance of investing in the people who run security operations. Enterprises often have an eclectic group of different vendor solutions added over time, sometimes with overlapping functionality and often with time-consuming onboarding and training requirements. Each cybersecurity product brings its own console, segmenting visibility, and threat correlation. The result is dangerous blind spots that leave enterprises vulnerable to damaging exploits. With the interminable shortage of qualified cybersecurity professionals, we need to investigate ways to more efficiently leverage the talent that we already have. The vast workload is burning them out. At best, this leads to a loss of productivity. At worst, they leave for greener pastures, which translates into turnover costs.
The number one thing we must do is reduce the incessant noise. Cybersecurity practitioners are inundated with thousands of alerts and logs -- all day, every day. We continue to invest in additional tools to detect and investigate threats, but an ugly side effect is more data, more alerts, more noise. In our recent annual Voice of SecOps Report we saw just how prevalent this issue really is within organizations. Globally, 27 percent of respondents said that their false positive rate has increased over the past year with a quarter (26 percent) then holding their hands up and admitting to turning off the 'noisy' alerts because they’re just overwhelmed and don’t have the time to pay attention to them.
While they may enjoy the respite and peace for a little while, unfortunately, likely lurking somewhere in this sea of data is an alert or log which positively indicates a potential critical security threat, vulnerability, or compromise. It’s like Catch 22. We’ve all heard the analogy "finding a needle in a haystack." But here, it’s a case of looking for one specific needle in a pile that is tens of thousands deep.
How Deep Learning Can Make a Difference
Fortunately, there is potential to reduce some of the noise. As you plan to replace or augment existing tools, consider researching and testing technology that utilizes Deep Learning. These days, Artificial
Intelligence and Machine Learning (AI/ML) are ubiquitous among cybersecurity vendors. Most solutions lay claim to some element of AI/ML functionality, and the ability to analyze large quantities of data and automate processes is extremely valuable. But these algorithms are reactive and can be extremely noisy.
Deep Learning enables a more proactive approach to stopping threats before they can execute. It is already proving to be significantly more accurate and efficient than traditional Machine Learning. This means fewer false positives (i.e., noise) and improved fidelity (i.e., stronger signals) in the logs and alerts.
So, What is Deep Learning?
Whether we realize it or not, Deep Learning is everywhere in our daily lives. Many prominent tech companies are using it for things like Natural Language Processing (e.g., Siri) and Computer Vision/Image Recognition (e.g., Facebook photo tagging). Automobile manufacturers take advantage of Deep Learning to train their autonomous vehicle systems. Until now Deep Learning had not been applied to cybersecurity because open-source solutions could not provide the results that were needed. For example, image recognition algorithms will not work on threats; you need a framework purpose built for cybersecurity. When applied to cybersecurity, Deep Learning algorithms can differentiate between benign and malicious activity with astounding accuracy and speed, to prevent threats from entering your environment. By contrast Machine Learning relies on behavioral detection once a threat has already executed on the endpoint.
Optimizing Your Security Operations
Employees continue to be the weakest link- even with the best security controls in place. In addition to greater prevention (ala deep learning), there must be a heavy focus on cybersecurity awareness training. We’re seeing nascent threat groups who rely solely on phishing and social engineering as their initial entry point. Whether they’re being tricked by spurious but well-crafted emails, or simply answering a seemingly innocent phone call from a nefarious actor, naïve employees are consistently giving up the keys to the kingdom. This is still an alarmingly consistent theme. The annual one-hour cybersecurity awareness online training course simply isn’t enough anymore; persistent education, testing, and reinforcement is necessary.
A more effective initiative has been seen in Massachusetts for example, where the 2022 Municipal Cybersecurity Awareness Grant Program was created to support local governments improve awareness of internet dangers that can cause security breaches. The state grant will fund training for over 60,000
employees from 210 municipalities and public-school districts with year-long cybersecurity training to help recognize and avoid cyber threats, theft of data and personal information, and interrupt essential municipal and educational programs.
Paranoia and Preparedness
Adopting the most advanced noise reducing technology and creating sustainable cybersecurity hygiene by continuously training and educating your workforce will shore up your vulnerabilities to cyberattacks. Ultimately, an integrated approach that includes both the tools and addresses the human factor is the best way to lessen the noise and protect your organization.
Deep Learning-powered analytics moves the focus of cyber threats away from personnel. Incoming attacks are proactively identified and stopped before they ever have a chance to execute within the network, removing the often-victimized employees from the equation. Meanwhile, security teams are freed from having to sift through potential threats within the network and can focus on more meaningful and critical activities that add real value to the business.
And of course, the organization benefits from hardened defenses that will shut down most attacks before they can even begin. For too long we have been in a society that has become accustomed to a "assume breach" mentality. Now it is time to switch that mindset and take a forward-thinking and proactive prevention-first approach that not only eliminates attacks within milliseconds, but that protects the SecOps professionals’ ears from the barrage of irrelevant and deafening alerts.
Scott Chennells is Distinguished Engineer at Deep Instinct.