War Stories, Part 3: Foul Play or False Alarm?
One of the hardest parts about threat detection and response is being able to tell mountains from molehills. To be fair, we can hardly blame the pessimists. Year-over-year, the success rates of cyberattacks have continually increased, reaching a peak at the end of 2016.
Nevertheless, knowing when to call in the cavalry and when to stand down is half the battle of incident response. And it’s one that many organizations struggle with, especially when there is so much noise on modern networks that can easily be mistaken for a legitimate threat.
That’s why today’s war story from the trenches is dedicated to false alarms.
Things are not always what they seem
In a recent webinar, Sam McLane, head of security engineering at Arctic Wolf Networks (AWN), spoke at length about a particular security incident with a big bark and a small bite.
“The customer noticed that some of their servers had connected to sites based in Russia.”
As part of the service provided by the AWN security engineers, McLane and his team compiled weekly health-check reports that highlighted recent web activity for the specific customer. On one of those reports, the customer noticed that some of their servers had connected to sites based in Russia. This alarmed the compliance officer, who stressed that there should never be any traffic from those servers to Russia, and requested that the AWN security engineers perform forensics on the incident.
Upon closer examination, the AWN team concluded that despite how it looked, the activity was entirely innocuous, and hence did not raise it as an incident to the customer. Nevertheless, the client wasn’t completely convinced.
“The customer, out of a preponderance of caution really wanted to engage a true, deep, on-site forensics investigation team.” McLane said. He added that such an investigation would have a price tag in the high five figures or low six figures, and that based on what he could see, would most likely turn up no new information.
Lo’ and behold:
“Their internal teams went and looked and didn’t find anything, we didn’t find anything and, as a result, the incident response team didn’t come up with anything either,” McLane said. “While the customer was always secure, it was nice to know that we had their backs and that the next time we say ‘we don’t see anything’ to trust us.”
All in a day’s work
It’s always good to be cautious, but in some cases, strong incident response is about knowing what noise actually warrants resource-intensive forensics. Or as McLane put it:
“Incident response and continuous monitoring isn’t just about notifying people of what they need to do. It’s often about letting them know that things aren’t what they appear to be.”
Granted, that’s much easier said than done for an organization with limited resources and expertise. Hundreds or even thousands of alerts may crop up on any given day. Knowing which ones deserve attention and which are false alarms is critical to strong security. Chase the wrong trail of bread crumbs, and you may wind up overlooking the truly threatening incidents.
That is the problem that McLane and his team of security engineers at AWN address for their clients. In addition to basic managed detection and response (MDR) services, AWN supplies customers with:
- Dedicated primary contact – clients always talk to the same person.
- An understanding of the business context and risk.
- Continuous monitoring and threat hunting.
- Remote forensics analysis of incidents.
- Advice, insights and strategic consulting.
“Having a dedicated senior concierge security engineer at your beck and call is unheard of given the tier, the vertical that we deal with, and the pricing model that we deal with,” McLane said. “But we really feel it’s the most effective, most efficient way to provide proper security for our customers.”
The key words here are “effective” and “efficient.” If these war stories have taught us anything, it’s the value of being able to effectively deal with legitimate threats, and to be efficient about forensics by knowing which trees are worth shaking.
“Sometimes it’s about finding nothing rather than finding something,” McLane said.
To hear more from McLane, watch the full webinar, “War stories from the trenches – case studies from a security ops perspective,” here. And for more information about the challenges of a SIEM, read our brief