More Data Does Not Equate to Better Security

More Data Does Not Equate to Better Security

The reason you often hear people say, "quality over quantity" is because, generally, it’s true. An organization could own every security tool known to mankind, each kicking out truck loads of data, but this does not necessarily mean that these organizations are well protected against security threats and attacks.

Read More »

Cybersecurity Analysts - Give Credit Where Credit is Due

Cybersecurity Analysts - Give Credit Where Credit is Due

Some cybersecurity analysts amaze me. In fact, in broader terms, experts amaze me. When you see an expert in action they frequently make very difficult things seem so simple. Their experience has honed their skills to the point they can understand very confusing scenarios. In particular, cybersecurity experts can intuitively recognize suspicious actions and network conditions that mere mortals can’t. 

They are so impressive because they have learned in great detail the ins and outs of their enterprise’s network, the enterprise business, and the people of the enterprise. Somehow, they are able to recognize suspicious and malicious things seemingly instinctually. 

Read More »

Bad Guys Don't Do Normal Things - Part 2

Bad Guys Don't Do Normal Things - Part 2

Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.

We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”.  Read More »

Bad Guys Don’t Do Normal Things - Part 1

Bad Guys Don’t Do Normal Things - Part 1

 

A cybersecurity analyst recently said to me, "Bad guys don't do normal things." He was explaining his thought process behind a particular automated alert. Specifically, he was describing a Splunk alert that notified his team whenever a ‘suspect ping’ process was detected on one of the more than 20,000 devices within their enterprise. This particular alert detected whenever any Windows host executed the ‘ping.exe’ process with a ‘-n’ argument. 

For example: ping 1.1.1.1 -n 1 -w 1000

The peculiar invocation above is not likely to be used by an IT person doing normal network troubleshooting. This non-default command, to send a single ping, might be indicative of malware or an intruder probing the network. This abnormal execution is what makes the ping interesting to a cyber network defender. At the mentioned organization, simply running the above command would be enough to launch a brief investigation by the Incident Response (IR) team.

Read More »

High-Impact Strategies to Automating SecOps

High-Impact Strategies to Automating SecOps

Cyber Security Automation; Where to Start

The short and quick answer is; you start with the most impactful tasks. These are the tasks that will bring the highest value and return on your investment in the shortest period of time.

When automating your Security Operations Center (SOC), tasks in an effort to deal with high volumes of appliance events and alerts, you'll likely find that analysts will have tightened the criteria on what triggers an alert to be sent to them. This action will provide the analyst with the highest priority alerts.

Read More »

Your Top Cybersecurity Analyst Just Quit.  Now what?

Your Top Cybersecurity Analyst Just Quit.  Now what?

I've had the pleasure of working alongside of some really smart and talented cybersecurity analysts. In this environment where there is a severe shortage of such people, they are frequently getting calls from headhunters who would like to recruit them into a much better paid position. I've seen more than one finally succumb to the "greener grass" on the other side of the fence.

Companies are experiencing this "brain drain" right now, and there is a lot more to come. They're losing knowledge and experience that takes years for a really good analyst to acquire. Sadly, it is the kind of knowledge and experience that can only be learned within the enterprise which they protect. Knowledge in three key areas is required to be one of the best; 1) network security, 2) threat intelligence, and 3) perhaps the most important, contextual knowledge of the enterprise itself.

Read More »

Representing and Applying the Wisdom of Cyber Analysts

Representing and Applying the Wisdom of Cyber Analysts

In the previous blog post I let it be known that the cybersecurity analyst is the fundamental answer to many of the current problems of today. These analysts have been fighting the good fight. They’ve won some battles and lost some battles. They carry their experiences forward to apply to the next round. My point is that their experience and knowledge is incredibly valuable.

Here is a problem for us to consider: the number of cyber-criminals is increasing, and the number of cyber analysts isn’t keeping up, there is a huge shortfall in our protection from criminals and terrorists. How are we to balance this equation? Educational institutions are scrambling to meet the challenge. Government is sponsoring programs such as Cybercorps to help by providing stipends and tuition to potential cybersecurity analysts.  But it is a technical and challenging subject matter, it takes time to learn.

The answer is that we have to apply more cybersecurity wisdom than the bad guys can apply cyber-malice. Given that the growth in the number of security good guys is outpaced by the number of bad guys we have to automate the actions of the good guys. How do you automate wisdom?

Read More »

Subscribe to Email Updates

Subscribe via RSS to the blog

Recent Posts