To combat alert fatigue among its security analysts, transportation service Uber applies specially customized data sets to flagged incidents to help distinguish between genuine threats and non-malicious activities, as well as to prioritize the most serious events.
“We've spent a lot of time on our side curating the way that we look at [alert] signals in order to relieve ourselves of that fatigue,” said Luis Guzman, director of security response at Uber, in a Wednesday session at the 2017 RSA Conference in San Francisco. “A large majority of the alerts that we receive – over 95 percent – are immediately enriched with other data to distinguish the difference between an engineer just being a cowboy or an engineer trying to [exfiltrate] data.”
The session, which focused on corporate espionage and how to prevent it, featured a number of unusual anecdotes and case studies, including a recent one from Milan Patel, managing director of cyber investigations and incident response at K2 Intelligence.
According to Patel, just weeks ago, K2 discovered an unknown actor on the dark web selling physical data access to a large bank's facility in a European country. However, when K2 contacted the bank, its management didn't even realize it had assets based in this country.
“Sure enough, they did some investigations and found out there was an intern program in this country, and there was a facility that was owned by the bank and this person was selling…access off-hours into that facility, where presumably there are corporate laptops and computers connected to the global network,” said Patel. Investigators were then able to narrow down the intern responsible.