Minimizing False Positives in Cloud Security Monitoring
By: Dan Sullivan, DS Applied Engineering, Enterprise architect, research scientist, and author
Monitoring security events is an essential but challenging task. Enterprises run large numbers of applications on a variety of platforms. Some applications are monolithic and run on isolated machines such as mainframes. Others are highly distributed systems that rely on a complex web of services invoking each other in difficult to anticipate patterns. These applications generate substantial amounts of log data that are often difficult to integrate. For example, a relatively benign event, like an administrator login on an application server, may not warrant attention; however, if that event is quickly followed by calls to a data access APIs on a application outside that admin’s responsibility, then that should trigger an alarm. Balancing the need for comprehensive alerting and the obvious desire to minimize false positives (a.k.a. false alarms) is difficult.
Fortunately, emerging techniques in deception technologies can help identify attack patterns that can help distinguish true attacks from false positives. Deception techniques create realistic looking targets for attackers. Instead of housing confidential data or valuable software, these targets run deception software that captures data about attacks. A simple form of deception technology is the decoydoc, which is a server that has vulnerabilities and attacker can exploit along with appealing, but fake, data or access to other devices. One problem with traditional decoydocs is that they are fairly passive. Attackers can discern simple decoydocs and avoid them.
More advanced deception technologies are highly interactive and behave more like enterprise applications and servers than earlier generation deception techniques. Tools such as Attivo Network’s Bot Sink Solution lure and engage attackers while capturing detailed forensic data about attack patterns. This is invaluable information that can help infosec professional better understand attack patterns.
Also, keep in mind that most of the existing prevention solutions (IPS, Sandboxing etc) are deployed to inspect North-South traffic and do not scale well to detect lateral movement in East-West traffic. Once the attacker breaches past these solutions the lateral movement happens across East-West traffic. Deception technology scales well and can be deployed across the data center to minimize the threats.
Knowledge of attack patterns is essential for defining the broader context of attacks so they can be distinguished from non-attack events. A single event, such as a failed administrator login, may simply be a mistake on the administrator’s part, or it could be a step in a larger sequence of attack events. Using data collected from advanced deception techniques, we can refine security event alerts to look for specific characteristics of known attack patterns. These kinds of refinements can help reduce the chance of generating false positives while minimizing the risk that our rules may be too specific and, therefore, miss actual security events of interest.
More information on how deception technology can be used to minimize false positives and to provide actionable alerts can be found here.