[BreachExchange] Achieving Zero False Positives with Security Automation

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 7 19:45:25 EDT 2017


http://mspmentor.net/security/achieving-zero-false-
positives-security-automation

Over the past few years, there’s been a constant and growing drumbeat of
news stories about data breaches, phishing and ransomware.

Organizations are recognizing they lack the time and expertise to implement
state-of-the-art security monitoring and threat investigations themselves.

Not surprisingly, many of these organizations are turning to their MSPs for
help.

Security monitoring can be a growing business for MSPs, but it brings with
it some significant challenges and risks.

If not managed properly, security monitoring can spiral out of control,
swamping MSPs with busy work and escalating labor costs.

Poorly managed security monitoring also introduces the risk of customers
blaming MSPs when data breaches and other serious security incidents occur.

Too Many False Positives

A key reason security monitoring is so costly is due to the large amount of
“noise” generated by false positives from security systems.

To understand why, let’s walk through what typically happens when an MSP
begins security monitoring for a customer.

First, an MSP deploys a Security Information and Event Management (SIEM)
system, which collects and analyzes log events and alerts from systems and
applications on customer sites.

Suddenly they start receiving hundreds, if not thousands, of alerts every
day.

A large majority of these are false positives, but each alert still must be
manually investigated to filter the good from the bad.

A big part of what’s missing from nearly all SIEM systems is local,
in-depth knowledge about the customer’s context— information that would
help greatly in distinguishing false positive alerts from genuine alerts
that merit attention.

As a result, your analysts tend to stop paying full attention to every
alert, and can potentially miss the small percentage of alerts that were
early indicators of an incident.

Getting To Zero False Positives - Mission Impossible?

We propose MSPs set an audacious goal for security monitoring: aim to
reduce the number of false positives to zero.

To streamline the number of alerts, the MSP can program the SIEM with rules
for ignoring certain types of alerts.

However, SIEM rules tend to be simplistic since they can’t account for the
context in which an alert occurred.

The slightest irregularities in employee behavior can send security
analysts scurrying to their screens, looking for signs of a threat.

Even threat intelligence data feeds, which are meant to assist SIEMs in
identifying threats that have been detected on other sites, are unable to
stay sufficiently up to date or help with fast-breaking trends.

By definition they can’t help with Zero Day, or previously unseen, threats
at all.

Without good contextual information, an MSP has no choice but to wade
through an ever-expanding list of alerts by hiring an ever-expanding team
of security analysts.

This is assuming these analysts can even be found, vetted and recruited.

How should MSPs solve this problem of collecting and applying contextual
information to reduce false positives?

With intelligent automation.

Not All Automation Is Created Equal

There are two types of automation for security monitoring and threat
detection: robotic and cognitive.

Robotic automation is useful for the repetitive steps that require minimal
decision-making.

For example, robotic automation can be used to perform routine case
creation and permission-checking after an incident is detected.

Cognitive automation is much more advanced and uses machine learning to
automate tasks that require decision-making.

Hence, it’s perfect for threat detection activities such as performing
triage on security alerts and threat hunting.

A “smart” security automation system uses cognitive automation to gain
contextual awareness of a customer site and then makes decisions (such as
threat-scoring) based on deep correlation across multiple data sources.

The system accepts feedback from security analysts, who can rate or correct
its decisions, ultimately helping the system become more accurate over time.

Unlike “black box” security solutions, this solution is programmable and
analyzable.

Its decisions can be examined and understood.

Security analysts are never left wondering why the system made the decision
it did when it dismissed or elevated an alert.

Such a system can accurately triage alerts at scale, causing the number of
false positives to plummet.

This automated approach reduces most of the manual investigation work that
keeps security analysts overwhelmed and MSP owners awake at night.

Mission Accomplished, Almost

Can such a system reduce false positives to zero?

Not yet.

However, we work with customers who successfully reduced the number of
false positives by 90 percent—no menial feat.

Reaching zero false positives—an unimaginable goal even a few years ago—now
seems within reach with the next generation of cognitive security solutions.

For MSPs, reducing false positives by 90 percent is a tremendous
competitive advantage, saving time and improving margins, but most
importantly enabling much better security for their customers.

Our advice to MSPs is to welcome customers seeking help with security
monitoring. By deploying both SIEM and cognitive automation systems, MSPs
can aim for zero false positives and reap the benefits of a growing
business and satisfied customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/c1419a2e/attachment.html>


More information about the BreachExchange mailing list