Noise – The Enemy of Security
Addressing the Signal-to-Noise Ratio to Find Network Attackers
One of the greatest determents to security and a major contributor to the inability of finding attackers on a given network is not the strength of a firewall or the sophistication of its policies. Perhaps the greatest detractor is noise. Signs of an active attacker may very well be caught by legacy SIEM or IDS/IPS, but they are likely buried under thousands of false positive security alerts. The “signal” or “signals” of an attacker are overcome by the noise.
Noise not only drowns out a true positive alert, but it seriously degrades the capabilities of a security team. It not only erodes the efficiency of security professionals, but it causes apathy and, in some cases, mistakes. If nearly all of your time is spent on wild goose chases, your expectation is that most or all of your effort is wasted. This causes carelessness for even the most thorough security professional.
If you are lucky enough to find a meaningful security event or malware at work inside the network, chances are that you won’t see other events that could enable you to accurately pinpoint an active attack. The odds are too overwhelming.
Fortunately, there is a better way. You can flip the odds on the noise using behavioral attack detection, so that network and endpoint activity can be judged against profiles of known good behavior. Rather than alerting on every noise, only malicious anomalies get flagged, each based on substantial contextual data. This way you can find the attacker through the trees with speed and certainty. You can easily follow the attacker as they try to stealthily navigate through the forest (your network).
Take a look at our new infographic to see some examples of how this works. See how we tracked each step of targeted attackers of a health care network exactly this way. SANS recently evaluated this new approach by assessing the LightCyber Magna product. Drop us a line if you would like to know more: [email protected]