The rapid shift to remote work in 2020 brought on by the pandemic led to an increase in potential attack vectors, which resulted in an increase in cyberattacks and nefarious activity. A number of high-profile ransomware attacks have proliferated, many targeting the healthcare industry at a time when it’s most vulnerable.
Once the pandemic ends, that doesn’t mean cyberattacks will cease. The global quarantine merely pointed out that cybersecurity stands at the edge of a precipice. It requires not just more tools, but a new vision of what’s possible. We need to take on a “Triple Zero” security strategy: zero false positives, zero privileged accounts accessed by attackers and zero wasted investigations.
Zero false positives
There’s a massive amount of information that comes into a security operations center (SOC) at any one time. The number of alerts per analyst has risen, and so has the time required to investigate alerts. A 2019 report by Critical Start found that 70 percent of responding analysts investigate 10+ security alerts per day – up from 45 percent the prior year. Nearly half of them reported a false positive rate of 50 percent or higher.
False positives are a significant burden on SOC analysts. Imagine running on a hamster wheel all day, working hard but getting nowhere. It’s demoralizing to keep chasing false alerts, one of the reasons the rate of burnout for analysts has become unacceptably high.
Given the already severe shortage of security experts, burnout caused by alert overload hitting the SOC has become a major challenge for the industry. Nearly half of the respondents reported an unsustainable SOC analyst turnover rate of up to 25 percent.
While we need to eliminate false positives, it has to start with reducing them first. That requires a new approach to threat detection that creates only high-fidelity alerts. There’s technology that makes this possible today. Tools with this technology only generate alerts when bad actors do something within the network that they have no right to do. These alerts are not the result of a possibility, a likelihood, an estimate or a normal, typical action being misinterpreted.
SOC analysts also need tools to quickly locate and mitigate real attacks, preferably in real-time before serious damage takes place—delivering detailed, actionable information so they can spend their time on analysis rather than searching for information.
Zero privileged accounts accessed by attackers
Attackers love to get their hands on credentials. It saves them the trouble of having to build exploits to get in through a virtual back door. By riding or manipulating the native connectivity that exists within the business, attackers can execute attacks from start to finish without ever exploiting vulnerabilities. For the attacker, it’s a much better scenario. Like other living-off-the-land techniques, it reduces the risk of detection, but it also eliminates the losses the attacker would suffer if their tools were discovered and fingerprinted.
Analysis of breaches and attacker activity points to attackers’ growing preference to use credentials. Forrester Research has estimated that as many as 80 percent of data breaches involve privileged account access. This has become a real problem and we must stop it.
Organizations have gaping holes in terms of access to privileged accounts. This includes issues such as cached credentials in the memory of endpoints, and shadow admin accounts. These are network accounts that have sensitive privileges but are often overlooked as they’re not members of a privileged Active Directory group. We need to make these harder for attackers to access these types of accounts and information. Security teams can do this by using technologies to gain automatic visibility and remediate the problems as soon as they crop up.
Zero wasted investigations
Security analysts are at a premium, and many organizations face a shortage. Consequently, there’s a great need to optimize resources. Organizations don’t have the staff to waste time on investigations that end up revealing false positives. They need their limited staffs to focus on actual threats.
Unfortunately, analysts end up wasting valuable time searching for the missing context needed to determine which threats are real and their priority levels. When they are stuck in the morass of manual activities, without automated coordination and response, analysts burn out and consider a career change. Meanwhile, Critical Start research indicates that up to 39 percent of real threats slip by unnoticed.
Context becomes key – the right set of forensics available on-demand will go a long way toward reducing the number of wasted investigations. Equipped with the necessary context, analysts can quickly identify real threats to the environment, including the entry point of an attack and the infecting vector – along with unknown misconfigurations and vulnerabilities.
A new security mindset
Given all of the changes we saw last year – the shift to remote work and the ensuing uptick in cyberattacks – we should no longer question the need for a new approach to cybersecurity. Bad actors are working overtime to create new attack types, and defenders must work just as hard to stop every one of them. But if IT security teams operate from the “Triple Zero” mindset, they stand a much greater chance of assembling the necessary technology and tools to robustly secure their network.
Ofer Israeli, chief executive officer, Illusive Networks
