Well, as political conflict still continues in the Ukraine, the
number of news headlines coming out about possible, huge Cyberattacks coming
out against the United States is also growing in large numbers. But to the best of my knowledge, nothing has
happened yet, and if it has, it has been in the usual amounts like last
year. But that does not mean to say that
something big won’t happen, and we have to keep our guard up.
We should never fall into the thinking that because it has
never happened to me that it never will.
Unfortunately, that is still the line of thinking that most businesses
take today, which is just putting themselves at far greater risk versus those
that are trying to be proactive.
Despite all of the latest tools and gadgets that we have out
there, we are still dependent upon the human element, which is essentially the IT
Security teams in Corporate America. As
of now, they are totally taxed and overburdened, and believe it or not, it is
not from fighting off the threat variants.
Rather, it is from all of the alerts and warnings that they
have to filter through, which at the end of the day, a bulk of them are simply
false positives.
Because of this, the real warnings and alerts often get
overlooked, and these are the ones that need to be paid attention to. Just trying to keep up with all of this has
become now infamously known as “Alert Fatigue”, and it is something that is
only going to get worse.
But there are ways of controlling and leveling off the sheer
amount of warnings and alerts that do come through. Here are some tips that perhaps
you could use for your business:
1)
Turn off those systems:
While in theory every alert and warning
merits attention, this is simply not the case.
Therefore, you and your IT Security team should carefully conduct an
audit of those systems (such as firewalls, network intrusion devices, routers,
etc.) in an effort to determine which one of those is producing the highest
number of false positives. Once you have
determined where the spikes are, then simply turn off those devices for a brief
period of time. Or, as an alternative,
you can also set up special filters and rules to reduce the total amount of
false positives that are coming through from them.
2)
Establish a prioritization scheme:
If the first step has been
successful, then you should be receiving a lesser amount of false
positives. Now, a bulk of them coming in
should be the real ones. Now, the
question often gets asked is bluntly: What
to do next? Well, the knee jerk reaction
would be to act on it immediately. But unfortunately, that is not the case, as
there will be many other alerts and warnings that will need your full attention
as well. So in this case, you need to
set up some sort of triaging system that will let you prioritize which of those
alerts and warnings need immediate attention. For example, those messages that relate
to your mission critical operations should get the first and most immediate attention. But if you think about it, this is also a
function of the Risk Assessment that you should have done prior to this. Although the primary objective of this is to determine what controls need to go where, this
is your opportunity to also determine where your most vulnerable digital assets
lie at. This is in turn, can then be
used to set up your prioritization system for the real warnings and alarms that
are coming through.
3)
Take a layered approach:
Today, many businesses are getting
rid of what is known as “Perimeter Security”.
This simply means that there is a huge circle of defense encircling the
business, protecting you from the external threats. But what about the internal based ones? This can pose a huge problem with this kind
of thinking. As a result, many entities are
now adopting what is known as the “Zero Trust Framework”, and this is where
nobody is trusted whatsoever. Your IT
and Network Infrastructures are broken down into smaller segments, and each of them
has their own layers of authentication that an end user must go through before
they can be granted access to the shared resources. You can also use this same line of thinking
in order to help triage those real one warnings. For example, along with the prioritization
scheme, you should also include some sort of labeling structure as well, to
help your IT Security team keep better track of things. A possible one could look something like
this:
*Impacts coming from the Physical
Layer: This would include main access
points, doors, and even other sensitive areas in your business where direct
contact is required.
*Impacts coming from Technical
Controls: This would include primarily
all of your network security devices.
*Impacts coming from Administrative
Controls: This would include any employee
misuse, whether it is intentional or not.
4) Make use of modern stuff:
By this,
I mean use the latest and greatest and like AI and ML. These tools have been designed to help you specifically with task automation,
especially when it comes to filtering out for the false positives. Initially,
they will take some time to get set up, because you have to train them from past attack signature profiles,
so that they can be on the lookout.
Also, you will need to keep
them constantly fed with data, so that they can keep learning as to what a
false positive really
is. But equally important is this is
that your IT Security team needs to be able to see everything from a single, or holistic point of view. This
is where a SIEM can come into play. Although setting up an ML or AI system may
sound complicated and expensive, the truth of the matter is that they are not.
For example, Microsoft Azure has a great set of tools to create this, and even has a great SIEM as well than
you can literally just deploy right out of the box.
My Thoughts On This:
In the end, just don’t simply rely upon technology to solve
your Alert Fatigue problems. It’s going
to take the human element as well. Keep
in mind that there will always be a good amount of alerts and warnings that your
IT Security team will have to filter through, the goal here is to reduce the
amount of workload, so that only the authentic messages come through, thus easing
up the burden to a certain degree.
No comments:
Post a Comment