Why Cyber Threat Detection and Response Is So Hard
Breakthrough innovation arises primarily in response to two conditions. One, when new technology emerges that creates new demand by fulfilling needs customers didn’t know they had. Think smartphones. A generation ago, people didn’t know they needed to be tethered to a phone the size of their palm that was also a camera, a bank, an encyclopedia and a shopping mall. Two, when new challenges arise that require innovation to address them. Think electric cars and other forms of renewable energy to combat climate change.
In cybersecurity, until the advent of artificial intelligence (AI) and machine learning (ML), innovation has been incremental. But just as AI is disrupting other industries, it has changed all that. Bad actors are using AI and ML to mount ever more sophisticated attacks that exploit a growing attack surface. So too must organizations adopt automated, data-driven cyber defenses that detect and mitigate threats before they can cause damage. Here’s a look at today’s cyber challenges and how to overcome them.
More cyber alerts mean more false positives
Cyber threat detection and response is now more critical than ever. The financial consequences of a breach are growing, and the longer you take to discover or detect a breach, the more costly it will be. The average cost of a breach in the U.S. in 2022 was $9 million – 4% higher than in 2021. For good reason, cybersecurity is now a C-suite and board-level concern.
Security operations centers (SOCs) are on the front lines. And they’re being flooded with more alerts to sift through than ever:
- Expanding attack surface. The attack surface has grown significantly over the past few years. We’re not just talking about traditional IT or campus environments anymore. There are OT, IoT and IoMT devices – all with vulnerabilities that can be exploited. There are all the people logging in and working from anywhere. There’s the cloud. There are countless SaaS applications that we now rely upon. And there’s the increasingly connected global supply chain.
- Data, data everywhere. The modernization of applications has resulted in a massive increase in the volume and speed of data being generated. Cloud, containers, serverless applications… all this ephemeral computing power generates mountains of data that can provide signals of an attack and important context for an investigation. Much of it may be noise, but for security reasons it all needs to be considered and managed.
- Increasing threats. The threat landscape has evolved significantly in recent years, and it continues to change. Threat actors have become more sophisticated in their capabilities and weaponry. They’re able to launch complex, automated, multi-stage attacks quickly and precisely. And they can scale rapidly.
- Tool complexity. SOC teams must confront this landscape with a set of complex tools that lack integration or automation. Essential SOC tools include a security information and event management (SIEM) system; security orchestration, automation and response (SOAR) system; and user and entity behavior analytics (UEBA); as well as security analytics and a threat intelligence platform. To stitch together an investigation, analysts must toggle from one application to another, losing context and wasting precious time along the way.
Why alert fatigue is today’s SOC reality
Based on a study of more than 300 SOCs, the average SecOps team must deal with about 450 alerts per hour, or 11,000 alerts per day (“The 2020 State of Security Operations,” Forrester Consulting). Couple that with staff and tool constraints, and the upshot is that over a quarter of alerts are simply never addressed.
As many as half of these alerts may be false positives, so maybe it’s not so bad that they aren’t addressed. But how do you know which ones can be ignored? You don’t. That’s a real problem, because enterprises are spending fighting false positives rather than legitimate attacks.
Now consider that often the security budget is shared between reactive activities (incident response) and proactive activities (threat hunting, risk exposure and management). If you’re spending all that time reacting to unvalidated alerts, how does that impact the time and budget available for proactive measures and things like governance, risk, compliance?
Why existing threat detection and response approaches fall short
There are four basic approaches to threat detection and response.
First, you can operate your own SOC in-house with a tech stack centered on a traditional SIEM. But many SIEMs were primarily designed for log storage and search; only later were threat engines bolted on. Sometimes they come empty, so you must source rules yourself. That requires building a team with specialized expertise in rule building and tuning as well as log onboarding. Even then, SIEMS can be very noisy with their single-stage learning model that generates too many low-fidelity alerts.
Second, you might take that inhouse SOC and try to build a custom data lake. Yes, that gives you a greater sense of control and ownership as you can customize it to your specific requirements. But a data lake by itself doesn’t do anything. That requires even more specialized expertise. It’s going to be labor intensive and time consuming, not to mention expensive. To extract value, you still need a threat detection engine and rules to actually detect threats.
Third, you could outsource threat monitoring and detection to a managed security services provider (MSSP) that manages your SIEM and sends you alerts when a response is required. That helps you overcome the skills shortage problem, but you may be locked into a fixed, expensive contract. If the MSSP is relying on your traditional SIEM without using a modern extended detection and response (XDR), they’re just going to push the same low-fidelity alerts over to you. Or they may operate as a black box, providing you with very limited visibility into their threat detection or investigation process.
Lastly, you might try using a traditional XDR alongside your SIEM. Having a unified console should improve efficiency, but traditional XDRs typically evolved from endpoint detection and response (EDR) solutions. These vendors often require you to use their tech stack of endpoint, network and cloud security products instead of leveraging your existing investments. They may also offer limited support for third-party data sources to cover OT/ICS, IoMT and other cyber asset types, as well as custom rule creation. Moreover, if you’re charged for log storage you’ll experience highly variable and unpredictable billing – but can certainly expect higher charges when you add more data sources to detect more threats.
Ultimately, none of these options fully addresses the modern threat detection and response challenge.
New challenges require breakthrough innovation
Forescout has addressed the limitations of traditional XDRs with the launch of Forescout XDR, which converts telemetry and logs into high-fidelity, SOC-actionable probable threats. The SaaS solution automates the detection, investigation, hunt for and response to advanced threats across all connected assets – IT, OT, IoT and IoMT – from campus to cloud to data center to edge. It combines essential SOC technologies and functions into a unified, cloud-native platform, viewable and actionable from a single console.
Forescout XDR normalizes and enriches ingested data from more than 180 vendor data sources, including the solutions you already use. Next, our two-stage threat detection engine uses more than 1,500 verified rules and a blend of five techniques – cyber intel, signatures and TTPs, UEBA, statistics and outliers, and context-aware AI/ML – to weed out false positives and generate high-fidelity, high-confidence threats that warrant human investigation. Put another way, it generates one detection an hour from every 50 million logs. That’s data-driven cyber defense – breakthrough innovation – in action.
Improve your SOC efficiency with better detection and response of true threats.