Ask any security operations reviewer well-nigh their biggest frustrations, and zestful fatigue will be among them. They constantly struggle to identify the serious threat indicators while ignoring the false positives. Scientists and engineers have a name for this wastefulness between useful and irrelevant data. It’s tabbed the signal-to-noise ratio.
The signal is the important data, while the noise is everything else; the white noise that gets in the way. When the signal-to-noise ratio is too low, the noise drowns out what’s important. Experts from radio operators to genome scientists grapple with these issues in some form.
Improving the signal-to-noise ratio is moreover a problem for modern IR teams who squatter information overload. They are swamped with rising levels of network event data. They have trouble sifting through it all to find the real threats. Sometimes they fail, with potentially disastrous consequences.
Too Much Data, Too Few Resources
The problem facing SOCs is twofold. The first issue is data volume. There’s a lot of it. Modern networks are information firehoses, churning out rivers of data. Every year, largest network telemetry increases that volume. The result is a surplus of alerts, which we can undeniability ‘candidate signals’. These are interesting data points that might warrant remoter investigation.
This is compounded by the second problem: resource scarcity. SOCs continually struggle to find unbearable talent to cope with the inflowing of data from increasingly ramified infrastructures. Without those transmission skills, many find themselves overburdened and unable to get the intelligence they need from the data that’s coming in.
The natural reaction to not having unbearable of a signal is to add increasingly data. For many SOCs, this ways ownership increasingly tools and telemetry, typically in the form of endpoint detection and response (EDR) or endpoint protection platform (EPP) products.
This is the wrong approach. Many SOCs incident response platforms are once disjointed, comprising tools from variegated vendors, uninventive over time, that don’t play well together. This makes it difficult to get an end-to-end view of the incident response process, and in most cases moreover stops operators handing off interesting telemetry investigations to each other.
Adding to these platforms might create increasingly relevant signals, but it won’t help SOCs to spot them. It will do the opposite, creating increasingly noise that drowns those signals out. Any struggle to fix the SOC by generating increasingly data amplifies the underlying problem.
If the signal-to-noise ratio remains low, then the growth in network telemetry becomes a greater source of risk. Poor candidate signal filtering leaves operators unsure where to uncork and blinds them to real, time-critical attacks. The results can be catastrophic.
The Answer to Zestful Fatigue
SOCs can’t dig themselves out of this slum by generating increasingly data. Instead, they must write the underlying problem. They must find largest ways to spot the right signals in the data they once have. To do that, they must yo-yo the signal-to-noise ratio.
In practice, this ways reducing the number of candidate signals. SOCs must present SOC analysts with fewer alerts so that they can focus their sustentation on what really matters.
The key to increasing the signal-to-noise ratio is a tightly integrated end-to-end tool chain. This is a set of tools that work together seamlessly with little overlap, and all worldly-wise to mart data with each other smoothly throughout the unshortened trundling of detection, containment, mitigation, cleanup, and post-incident analysis.
Retain Your Data Locally. Correlate With Other Data Sources. Automate SOAR Workflows.
This tideway helps in several ways. First, it reduces the noise from variegated tools that would otherwise overlap with each other. This eliminates the shadow signals that can distract rented operators.
It moreover combines events and alerts into incidents, which are larger, increasingly visible data elements that are easier to track. This gives analysts a top-down view of candidate signals without having to trawl through low-level events and correlate them manually.
Finally, it enables SOCs to largest automate the detection, analysis, and reporting of incidents. This automation is a key part of the event correlation process.
A well-formed tool uniting detects candidate signals early, developing them through several stages of analysis. This allows the SOC to either personize and escalate candidate signals or dismiss them quickly if they are found to be benign. This helps to automatically mitigating many incidents without having to zestful human operators, leaving them to focus on those alerts that need their attention.
Easing the SOC’s Burden With Contextualized Data
SOCs that invest in tool uniting integration will enjoy a smaller, refined set of alerts that come with the appropriate, contextualized data, ready for human operators to deal with efficiently.
This higher signal-to-noise ratio will show up on reviewer screens, reducing their cognitive load. It will midpoint fewer investigation numbers and reduced investigation times. This will lead to largest outcomes for SOCs in the form of shorter containment times and an overall reduction in response times. Ideally, this will prevent attackers from getting tropical to your infrastructure, but in the event of a successful compromise, it can moreover reduce attacker dwell time, mitigating the effect of the attack.
When it comes to handling fast-moving cybersecurity incidents, the sharper focus that comes from a less cluttered data environment can be the difference between containing an incident surpassing it does any damage, and making the next week’s headlines for all the wrong reasons.
The Time For Change Is Now
This optimisation process should uncork as early as possible in the incident response process. The longer that the SOC allows less relevant candidate signals to linger, the increasingly they will proliferate and the increasingly difficult it will be to discern what’s important. Triaging candidate signals as soon as possible frees up analysts to wield their skills to the signals that matter. In an industry where talent is nonflexible to come by, it’s imperative to alimony those analysts as productive as possible.
With that in mind, now is the time to support these goals by revising your process uniting to squint for resurgence opportunities. Take a write-up and step when to examine your overall tool set and your team structure. At some point, you might find that generating increasingly telemetry yields results, but only if you have the capabilities to weed out the noise quickly. In the meantime, less is more.
If you’d like to learn increasingly well-nigh how the SentinelOne Singuarlity platform can help your organization unzip these goals, contact us for increasingly information or request a self-ruling demo.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.