True Positives. It’s a topic of great interest to me. Security Operations can spend a lot of time dealing with separating out the truly non-malicious events. There is an easier way. But, before we go further, let’s align and calibrate on the terminology of True/False Positives/Negatives. Some of these terms have varying levels of agreement. It reminds me of VLAN-- you can have 5 people in the room and there will be 6 different definitions for it. To make sure we are on the same page, let's start with basic definitions accompanied with real life examples.
Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.
Big Data is a revolution that in my opinion is equivalent to other epiphany moments such as when humanity (i.e. Galileo) identified that the sun isn’t moving. It's our planet that moves around it. Science and discovery have changed the way people perceive the world.
Think about this statement: “Half of the people you know are below average.” In simple terms, it means that statistically most of the people you know are considered to have average intelligence, or just below or above the line. Does this mean they are dangerous? Does it mean you should reconsider your friendship? Let’s not jump to conclusions just yet.
Noise. Noise. Noise. Our world is noisy. It's all over the place. Visual noise, physical noise. And then there is the noise which bothers analysts in the security industry. I am referring to the security signal to noise ratio that is only growing and growing because of the evolving techniques, various data sources and the unknown threats that we all want to catch (or is it afraid to miss?). In fact, the elephant has left the room and is now visible to all.
When thinking about some traditional User and Entity Behavior Analytics (UEBA) solutions today, I can’t help but think about a Rube Goldberg machine, an over engineered machine that performs a seemingly simple task.
One of my favorites is “The page Turner”. And I’ll admit it, I like playing with these useless contraptions -- and even build them. By the highview count on that video it seems I’m not alone in enjoying them. But this does make me wonder what this says about us. Why do we build overly complicated systems to effectively (in a way) complete tasks so inefficiently?
Enterprises almost always have users, accounts or processes that run critical business operations to enable smooth operations and ensure productivity. Often, there is a lot of emphasis placed on security, availability and integrity. Regardless of the checks and balances, systems are not infallible. Sometimes this is done because it is perceived to be secured trusted operations, and sometimes it’s based on a planned calculated risk management.
Every child that grew up playing Dungeons and Dragons learned about the mythic creature of Kerberos (also known as Cerberus in Ancient Greek mythology) -- the three headed dog who guards the gates of Haides. Its role is to prevent the dead souls from returning to the world of living.
I believe detection and prevention are the most chewed-over words in the security market. In the last 20 years, I have seen the term virus evolve to worm and horse (trojan). Then it left the living creature world and moved to the “Bond” world by becoming spyware, malware, ransomware and even getting recognized by names, such as Zeus, Cryptolocker and more.
And yet the basic terms of detection and prevention have remained steady. No matter the triggers, no matter the technology or the company. Sometimes you’ll hear detection and prevention used together and sometimes separately depending on the solution’s capabilities. What changes with these terms lies underneath as the threats to organizations continue to proliferate.
It's often that I meet customers that are quite surprised when they deploy a new security solution and see the results of what is actually happening in their Network.They are astonished by what they see with the deep visibility some security products bring. To be honest, it's not only they do not understand what is actually going on in their network, it is worse, they are sometimes clueless. Let me reveal an unspoken secret.