Humans like to solve problems that are readily known or are easy, and ignore ones that take some digging or are difficult. We are lazy animals, but that is a good thing. System Administrators create scripts to eliminate repetitive tasks. This is good. We should work smarter not harder. The issue is when we disregard tasks, or threats because they take time and research. We in Information Security often fix the “known knowns” and hope that we aren’t impacted by the “unknown unknowns (UUs)”. We need to start bringing our unknown threats into the light of day, or a nice dashboard, so that we can act on them and protect our environments from them.
When we think of securing our information and our networks, we often start with our knowns. We know we need to defend our digital borders so we install firewalls. We know we need to protect our endpoints so we install anti-malware software. We may even know that we need to protect our data and we deploy a Data Loss Prevention solution, but I rarely see folks do this intentionally, and if they even have a solution it isn’t tuned and is a check box on some compliance form more than anything else. Admittedly that last one kills me because there are a number of solutions you can get that would have stopped any number of the breaches we have read about, and some we haven’t even heard about yet, but we don’t put the energy or budget into solving this one.
As we move to the more mature security environments you will find vulnerability scanning, looking for those known vulnerabilities, though an incredible 26% of companies said they didn’t have time to patch. Then you may introduce a Network Access Control solution, possibly from your network equipment vendor or one of the few remaining stand alone solutions, but again, I don’t see organizations actually utilizing the investments they have made in NAC. The list of solutions keeps growing as your organization matures, but often times the investment in tools does not mean that they are being deployed or tuned, and that your staff is being trained on them.
With more tools, comes more alerts, and with more alerts comes alert fatigue. I have walked into many a SOC (Security Operations Center) and found alerts all over the screens and analysts just sitting at their desks ignoring them. Like the boy who cries wolf, the alerts had trained the analysts to ignore them. The scary thing is any of those alerts could have been critical and truly important, but because of all the noise it would have been ignored with all of the others.
This is where have a good solution to monitor all of your tools, endpoints, logs and network data is necessary. If done right it will lower your alerts, so that your analysts can spend time on the most critical events, and it will also give you visibility into your environment so you can find those UUs. I have mentioned the NCTOC Top 5 SOC Principles before, and want to point out that number 2 on that list is visibility. We must build visibility into our environments, not just for the UU’s, but to alleviate alert fatigue and give your team their best chance at stopping a breach or other organization impacting event.