Remember hearing the stories of “The Little Boy Who Cried Wolf”? His calls for help created alarm among the townspeople until, ultimately, they got so used to false alarms they started ignoring his cries for attention. Now imagine multiple boys crying “wolf” at the same time. Are some real? Some false? How much time would it take to investigate each of these cries and would the real wolf attack while you were trying to react to every alarm? The magnitude of these cries quickly become an unfathomable nightmare and inevitably just becomes white noise.
Noisy alerts are a common problem faced by today’s corporate security incident teams. The detection solutions that were originally measured by how often an alert was generated have now become reduced to chatter rather than the high fidelity detection system that people expected.Attacks have became more targeted and broad pattern matching and monitoring are now required to sweep for these custom and signature-less attacks. Given this approach to detection, the SANS Institute found that 66% of incidents are now false alarms. Considering the total number of attacks on corporations and the staggering number of incidents, it is not surprising that the volume of alerts has become unmanageable and subsequently ignored.
Too many alerts may explain why Target’s security team took 19 days to stop the attack, despite receiving alerts long before any credit card information was extracted. For the Neiman Marcus security breach, security experts carefully sifted through over 60,000 alerts!
Let’s look at the numbers. If we assume that security experts could spend one hour to investigate and dispose of each alert, that means a team of 20 people, working 24 hours a day, seven days a week would spend 125 consecutive days to resolve all 60,000 alerts. That’s assuming they did nothing else but investigate and dispose of these alerts, and no other alerts came in while they’re working on these. Most organizations are not staffed to address this volume of activity and even when staffing is approved, the shortage of security professionals often leads to open requisitions and delayed staffing. Here are a few more facts that illustrate the growing need for real-time, accurate alerts:
- 43 security incidents, with approximately two new hosts, are infected each day (KPMG)
- It takes approximately32 days to resolve an incident (Ponemon Institute)
- 229 days is the average time to detection (2,287 days the longest period) (Mandiant)
If you go through all these numbers, it quickly becomes clear that unless a cyber security team has infinite time and resources,there is not a realistic way to respond to every alert generated. What is needed is a way to accelerate the identification of attacks and provide accurate information the cyber security team can use to quickly understand the real threat and shut it down. For prompt, accurate detection of attack incidents, solutions need to do more than just look at attack patterns, signatures or suspicious behavior, which often end up being false alarms. A modern approach, however, will only produce alerts based on actual engagement with an attacker.
It may be interesting to watch the volume of attacks outside perimeter of the network, however these are not typically the attacks that cause concern. The attacks that need to be addressed are the ones that have bypassed perimeter security and are mounting their attack within the network. These attacks will come in the form of reconnaissance and stolen credential attacks and are frequently designed specifically for the organization they are attacking.
But without crying “wolf” at everything that appears to have “hair on it”, how do you detect these intrusions within your network? The answer can be found with dynamic deception techniques.
Dynamic deception is designed to only generate an alert on real-time engagement with attackers; there are no false positives. A comprehensive deception platform will turn the entire network and data center into a set of ubiquitous traps and will fool the intruder into engagement through the use of deception lures and techniques. Advanced deception is based on real operating systems and services that can be customized so they are indistinguishable from company servers or devices. Once the attacker engages with the deception platform, an immediate alert is created that the security team cannot ignore. No crying wolf, these alerts are real.
A full-featured deception platform will also provide the ability to
- Engage the attacker andcapture threat intelligence to identify the source of infection for remediation
- Classify threats as low, medium and high for appropriate levels of remediation
- Provide reporting to update prevention systems, enabling the shut down of current and the prevention of future attacks
- Have 3rd party integrations for sharing threat intelligence with SIEM and infrastructure solutions
- Detect threats within the private, public, and hybrid cloud environments
For the security team without the time or resources to chase false positive alerts, deception provides the ideal alternative for detecting intrusions in real-time. Most important, it doesn’t cry wolf!
Chief Marketing Officer