May 07, 2014

How Noisy is Your Incident
Detection System?

In today’s Whiteboard Wednesday, Lital Asher-Dotan, Senior Product Marketing Manager for UserInsight, will discuss Incident Detection Systems (IDS), and how the overwhelming amount of alerts tend to hide real risk in your environment.

It is a common complaint from most SIEM and IDS/IPS users that their incident detection systems are too noisy. A great example of this is with the latest, Neiman Marcus breach. Neiman Marcus reported that they received 60,000 alerts from their incident detection system over the 8 months that they were being breached. The problem is that the 60,000 alerts only accounted for 1% of their total alerts during those eight months.

Clearly the problem is not a lack of data, it’s a lack of insight. The proper insight is what can distinguish false positives from real attacks. Actionable insight is knowing the attacker mindset and setting rules that will trigger these malicious activities.

Watch this week’s Whiteboard Wednesday to learn more about this topic and download a trial of UserInsight to help simplify the discovery of user behavior, detect attacks targeted at users, and simplify incident detection.

Read Video Transcript

Hello and thank you for joining this session of Whiteboard Wednesday. My name is Lital Asher-Doten and I’m product marketing manager here at Rapid7. Today our topic is ‘How Noisy Is Your Detection System?’

We find out by working with a lot of security teams that they’re bombarded with tens and thousands of alerts from their different detection systems every day; your IDS system, your firewall, your SIM is firing to you thousands and tens of thousands of alerts. It’s very hard to find which one is false and which one is really indicative of compromising your network.

Take for example the Neiman Marcus case, the breach that happened not a long time ago and we just found out more information about this attack. Apparently Neiman Marcus was breached for about eight months while only four months was actually where the credit cards were stolen. But for eight months, they have got alerts in the system about the malware being installed and deleted at the end of every day for eight months.

They got 60,000 alerts during this period of time about this behavior that is going on, but guess what? This 60,000 alerts across this eight months is only 1% of the total alerts that they got during that time. This is incredibly noisy and they didn’t have the ability to detect this 1% that is really meaningful and differentiate it from the rest 99% that obviously were just noise.

Well, we believe that security teams have a lot of data today, but the main problem that Neiman Marcus was facing as well as all other teams is that it’s hard to get insight. Attacks are very sophisticated, the way attack is getting to the system and pivot with the system is sophisticated, they harvest credentials and they use users in order to masquerade themselves and go longer undetected. And you must have a good detection system that will not bombard you on one hand; with a lot of data, but the other hand, will really recognize those attempts to attack you.

At Rapid7, we believe the two ways to make sure your detection system really works well for you; one thing is that you must build the right rules. If you have a SIM, unfortunately the rules that you have, the quality is as good as the person writing them. We believe that you must have expertise in how attackers attack the network, how they get into the network, how they pivot into the network, what kind of ways they escalate the privileges, how they get into critical asset.

So with this understanding of the attacker playbook, you can build a real good detection system while disregarding all the rest that is noisy. At the same time, it’s really important for you to know your business environment and to know what really matters for you and what is really noisy for you. To give you an example, one of our customers, we recommend to detect if a disabled account start authenticating to the network as this is a common way that an attacker would stay undetected for a longer time; by re-enabling disabled accounts.

However, in that specific case, this customer had 1000 employees coming back from Holy Day on September the 1st and being re-enabled that day. Obviously, there was a need to turn it off before it bombard security with too much noise. So you will need to know what is your environment, in order to make sense and make sure your environment is not too noisy, because too noisy is not just annoying, too noisy is a security problem that means your security teams are not staying focused. They are wasting time and wasting effort and just missing this needle in a haystack that is the real attack. Thank you for joining me, hope to see you next week.

Free UserInsight Trial

Understand user behavior, detect attacks against users, fast incident detection

Get Started