By Sanjay Raja, VP Product Marketing and Solutions, Gurucul

One of my top cybersecurity initiatives for 2022 is improving threat detection and response. Initial compromises are inevitable, and most often originate from phishing attacks, social engineering, or insider threats.

The initial compromise lays the groundwork for enabling malware to be installed, and it’s very difficult to predict against.

You can have pretty good defensive measures where you are filtering out a lot and are helping security teams to be more effective. But it doesn’t change the fact that only one compromised system can cause a lot of damage.

As someone once said, one apple can spoil the whole bunch. So, you must be ready to detect and prevent against even a single compromise.

Reducing the Burden on Security Teams and Accelerating Investigations

The other issue is around reducing the burden on security teams. What can we do when we have a security skills shortage, and it’s becoming more and more difficult to be able to scale a team up?

We need to be able to accelerate investigations with the skills we have on deck. What that really means is we have to provide enough context to help everyone in security at any level to be able to identify anomalies that are part of an overarching attack campaign much sooner in the discovery phase – ideally, in real-time.

This requires security analysts to be told what an actual threat is, or they need to be able to figure it out for themselves by investigating further to determine whether it’s a true threat.

But they need to be able to do this in a fast and responsive way. Unfortunately, a lot of solutions out there make it very difficult to be able to tie those pieces together.

The real end goal, though, is the response. Now that you know that something anomalous is inside your network and you know that it’s part of the attack campaign, what do you do right now? What do you do next? And how do you respond quickly before of the attacker can do damage?

Whether that’s stealing data, causing disruption, turning off systems, or downloading ransomware – all of these are destructive actions that an attacker can take. And you need to be able to respond before any malicious action occurs. Obviously, it can get quite damaging and quite costly if you don’t respond rapidly and definitively.

Challenges with XDR and SIEM

There are challenges with current XDR and SIEM solutions that you may have invested in that provide incomplete infrastructure-wide visibility. You’ve got remote workers. You’ve got cloud solutions. And you need to pull in data from all sorts of different environments.

Without getting a full, complete picture of all the data that’s out there, you’re unable actually to see what’s going on.

This is where a lot of these environments are insufficient because they’re not pulling the data from every location across multi-cloud. So that leaves a lot of visibility gaps.

Those are visibility gaps that attackers know to exploit. So, this is where you really need infrastructure-wide visibility and have solutions in place that can actually pull in all that data effectively.

Lack of Real-time Adaptability to New Threats

The lack of real-time adaptability to new threats is really key because what we’re seeing is that attackers aren’t just sitting on their laurels leveraging an attack or leveraging vulnerabilities they’ve seen.

They’re changing up existing attacks, making new variants, changing techniques, and doing whatever they can do to evade existing systems.

The problem with security platforms that aren’t adaptable is that they don’t really learn from prior behaviors and prior events. You’re reliant on the vendor to create patches and create new signatures, new pattern matches, to be able to identify that those attacks are going on.

First, the vendor has to know about the attack. Second, they have to develop the actual new pattern, and they have to be able to get it to you in a timely manner before the attack takes hold inside your systems. And they have to get it right.

It’s quite a challenge when you are depending on the solution you have and the vendor you have to get it right. A lot can and does go wrong. A better approach is to work with a vendor like Gurucul who provides true machine learning models that can adapt to changing conditions and virus variants in real-time. Self-learning algorithms are what machine learning is all about in the real world of defense in-depth cybersecurity.

Too Many IoCs and False Positives to Chase

It’s surprising to me, after all this time, that we are still seeing security teams chasing false positive alerts. Security teams are overburdened. The amount of data that they require to be able to do their job doesn’t mean that the indicators of compromise (IoC) and the events popping up need to go up as well.

This is where consuming more data ends up being super noisy with traditional XDR and SIEM systems. You end up receiving too many indicators of compromise. That’s not the solution. All it does is throw more noise at security analysts and dilute the real attacks.

You need to be able to reduce the noise level to what’s really important and keep analysts from chasing down those annoying false positives, which is a major problem.

Some statistics show 70% of what security analysts investigate are false positives. So, reducing that number is just as important as reducing the overall noise that’s coming in.

This is one of the areas that can lessen the burden on a security team, and where you can certainly do more with less. You don’t have to hire ten more people if you can simply process and address more of the key alerts that need to be investigated.

Addressing the Security Skills Gap

I mentioned the security skills gap, where we’re having a lot of junior folks coming into security and learning on the job. The lack of contextual information and the ability to prioritize what’s important is really hurting them too. Because honestly, they don’t know what next steps to take.

They may escalate an investigation to a senior analyst and quickly overburden that analyst, one of the tier one analysts. That’s far from optimum because there are very few tier one security analysts out there so we need to reserve their expertise for the most difficult cases.

More context, more help, and more automation is what’s needed to help junior security analysts get to answers more quickly, and improve their ability to do their job. And it also reduces the burden on the more senior analysts who are focused on much deeper investigations. This is all part of what’s needed to improve security operations.

Where to Invest?

So, let’s talk about where to invest. When we talk about some of the investment areas, one of us talked about getting consolidated views across on-prem, multi-cloud, and remote systems.

The key here is to do it without escalating costs. That’s really the chat, is that most security solutions, especially monitoring SIEM solutions, data collection solutions, whatever they are, end up charging based on the incoming data. That’s not cost effective.

Finding solutions that are charging based on helping security teams pull in as much data as possible, and being able to investigate those sources are more effective.

We are hearing from a lot of people, especially as they move to cloud and remote offices, that the amount of data they’re collecting has gone up quite a bit.

And suddenly, they’re getting charged a lot more for being able to do that data collection for functionality that they should be getting already. They’ve already paid for that. So again, this is something where people are looking to invest in solutions that can help reduce that burden and especially the cost.

More data with fewer alerts and false positives is the key. How do I ingest more data and yet reduce my workload at the same time? Solutions that can help filter all out of that noise and lower the false positive rate are critical for security teams to be successful.

Improving Context and Prioritization for Junior Analysts

Being able to provide more refined data is key to enabling our security analysts. Delivering with high confidence anomalous data to be investigated is critically important to prevent junior analysts from unnecessarily chasing false positive alerts.

It really enables them to be more effective at their job and learn more quickly how to do a better job so they aren’t escalating everything, and aren’t chasing things they shouldn’t be chasing. We want them hyper-focused on high-priority alerts only. Then help them conclude what they need to do to be able to fix or remediate the issue.

That’s going to help you accelerate not only your investigations but also your responses, which means you’re going to have fewer actually successful attacks.

Using More Advanced Analytics

It’s important to understand the nuances behind vendor claims around analytics and machine learning. Many vendor “analytics” capabilities are really just correlation rules. To stave off today’s threats, you absolutely need truly advanced analytics.

Machine learning and artificial intelligence have been thrown around a lot in the last several years. Unfortunately, it’s been misused quite a bit. But if you can find vendors that really are using proper machine learning techniques. That’s where the power is in terms of helping to automate not only your investigations but also your threat detection and even your response capabilities.

True machine learning adapts to new variants in real-time. You’ll have higher confidence in what’s out there and what you’ve identified as an actual attack campaign. You’ll also know what the steps are to be able to remediate that attack campaign before it does damage.

Adding behavior analytics into your security practice is important. We’ve come a long way from old network behavior analytics to where user and entity behavior analytics are really key because we’re seeing things like privileged access violations.

Baselining what’s normal, and what’s not normal.

Being able to with high confidence correlate that data to know, “This is something new that we haven’t seen before, but we know it’s an attack.”

Again, this is where we’re seeing organizations invest in security analytics and next-generation SIEMs.

About the Author

Sanjay Raja brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers.

Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems.

Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.

Republished with permission. Originally here.

Gurucul Returns to Compete in 2022 ‘ASTORS’ Homeland Security Awards Program

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, recognizes industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

Final Nominations are being accepted for the 2022 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

Comprehensive List of Categories Include:

Access Control/ Identification	Personal/Protective Equipment	Law Enforcement Counter Terrorism
Perimeter Barrier/ Deterrent System	Interagency Interdiction Operation	Cloud Computing/Storage Solution
Facial/IRIS Recognition	Body Worn Video Product	Cyber Security
Video Surveillance/VMS	Mobile Technology	Anti-Malware
Audio Analytics	Disaster Preparedness	ID Management
Thermal/Infrared Camera	Mass Notification System	Fire & Safety
Metal/Weapon Detection	Rescue Operations	Critical Infrastructure
License Plate Recognition	Detection Products	COVID Innovations
Workforce Management	Government Security Programs	And Many Others to Choose From!

Don’t see a Direct Hit for your Product, Agency or Organization?

Submit your category recommendation for consideration to Michael Madsen, AST Publisher, at: mmadsen@americansecuritytoday.com.

Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border, and crime rates that are dramatically higher than before the Pandemic across the United States.

These challenges have become a national priority with an influx of investments in innovative new technologies and systems.

The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Presentation Luncheon, an exclusive, affordable, gourmet, full-course plated meal event, in the heart of New York City, held at the International Security Conference & Exposition (ISC East) since it’s inception in 2017.

And who better to address the aforementioned challenges, and initiatives to meet today’s threat landscape than Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP), the opening keynote speaker at the much-anticipated 2022 ‘ASTORS’ Awards Presentation Luncheon, on Wednesday, November 16th, 2022.

As the DEAC of the Office of Field Operations, U.S. Customs and Border Protection (CBP), Mrs. Sabatino leads more than 31,000 employees and oversees an annual operating budget of $6.5 billion.

Register for the 2022 ‘ASTORS’ Luncheon Today

(Hear a recent interview with Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino held at Identity Week Europe on leveraging biometric comparison technology in U.S. air, maritime, and land border environments for the security of passengers, enhancing the customer experience and limiting the transmission of biological pathogens while respecting personal privacies and educating the public as the CBP further expands the implementation of biometrics to keep up with threats to the aviation and other border sectors. These new technological tools are there to automate administrative functions so that the most valuable component of the process, the officers, are able to focus on critical issues as they arise. Courtesy of evie kim sing and YouTube. Posted on Jul 13, 2022.)

Enter, American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields with a circulation of over 75,000 readers and many tens of thousands more visiting our AST Website at www.americansecuritytoday.com each month.

The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. #MentorshipMatters

So be on the lookout for Special Guests, Presenters, Book Opportunities, and Attendees at the 2022 ‘ASTORS’ Awards Presentation Luncheon in November of 2022 in NYC!