Todd Welfelt
There are cybersecurity tools for everything. But does more equate to better? When your team is overworked, it may be better to focus on what’s important.
Less is More
Implementing more cybersecurity tools isn’t always better.
A wealthy couple was building a new home. It was lavish and spared no expense. They even installed a state-of-the-art safe, complete with biometrics, and hidden behind a false wall.
Their alarm system was also state-of-the-art. Motion sensors everywhere. Dozens of cameras. Door sensors and glass break microphones. Laser trip wires. Everything you could imagine.
But they didn’t have anyone watching these systems. False alerts were common, and no one ever tested the validity of the coverage. They didn’t hire anyone to keep watch over their property and didn’t invest the time needed to really identify threats. Soon, they grew bored and checked the camera on their safe only periodically.
I’m sure you can see where this is heading. One day, a group of thieves broke in and took everything—except for what was in the safe. No one was notified. No one contacted the police. Nothing happened until the couple came home and found their house was in ruins. All that expensive security gear still didn’t provide the protection they needed because it was excessive, unmanaged, and failed to focus on the most likely points of entry, such as doors and windows.
This scenario is common in business protection as well. Businesses invest in tools for every possible scenario but fail to monitor the most likely threats and weaknesses within their organization, leaving them vulnerable.
False Positives
They implement a SIEM to collect data and logs from every possible source. They might even have someone tasked with reviewing this ‘regularly’. But over time, they lose interest or get tired of chasing the same false positives and end up ignoring them automatically. The individuals are assigned additional tasks, and suddenly all this expensive gear is left on its own, with the hope that anything significant will trigger an alert and send an email that might or might not actually be read.
Tool Fatigue is Real
There are tools for everything. Log creation, collection, and monitoring. Firewall alerts. Honeypots. DNS monitors. EDR. MDR. Even AI is getting tossed into this protective salad.
But does it actually improve security?
Having more tools just means more stuff to wade through, and for overworked security teams, that means more chances for true-positive alerts to slip through.
Focus on What’s Important
Instead of adding more tools, ask what the most likely point of failure would be and how to identify that failure as early as possible. Reduce overall workload and tool fatigue by focusing on what is truly important within your environment:
- Network Ingress and Egress
- Suspicious Lateral Movement
- Unexplained Network Scanning and Discovery
Ensure teams are kept up to date with real-time risk reports and are monitoring scenarios for signs of compromise.
Monitor What Matters
Collecting data from everything is only going to waste time, resources, and efforts.
First, identify the most likely ingress paths and monitor them to stop an attack immediately. But once initial access has occurred, network traffic will tell the tale of:
- What has been accessed?
- How is the attack migrating?
- What is being pushed to devices
By being strategic in your monitoring policy, you increase the fidelity of detections while reducing alert fatigue, making the overall process much more efficient.
Having a team or third party respond to generated alerts really ignores the threat and risk of compromise and puts too much faith in the alert-generating process.
Be PROACTIVE
The last, and most crucial, aspect of improving overall security is to be PROACTIVE.
Alerts can tell you what happened AFTER THE FACT, not what an attacker is actively doing.
Perform threat hunts within the environment by regularly looking for signs of malicious activity and identifying things that may have escaped detection. These signs can include:
- Suspicious login activity
- Odd data access
- Network activity outside normal patterns of behavior
The most effective way to detect this activity is to review all network traffic through packet capture and analysis. This will identify ALL traffic—even network traffic originating from systems that don’t or can’t have EDR or logs, such as IoT and OT devices.
Conclusions
Collecting a never-ending array of logs and data points often wastes time and resources.
If these data points aren’t regularly monitored, audited, and reviewed, then the alerts and alarms from log management systems become tools for determining how an attack occurred rather than for preventing it from occurring at all.
Focus on the perimeter, network ingress, network egress, and suspicious network traffic within your environment. This will identify most attacks within the environment without contributing to alert fatigue.
More isn’t always better.
To see what we see on a network, request a demonstration of PacketWatch in action.
Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.
Posts by Tag
- CEO Perspective (31)
- Cybersecurity Resilience (12)
- Incident Response (12)
- Compliance (10)
- GRC (9)
- Vulnerability Management (7)
- Best Practices (6)
- Threat Hunting (6)
- Cyber Insurance (4)
- Artificial Intelligence (AI) (3)
- Full Packet Capture (3)
- HIPAA (3)
- Artificial Intelligence (2)
- Network Security Monitoring (2)
- Network Visibility (2)
- Ransomware (2)
- Critical Vulnerability (1)
- Cybersecurity Threats (1)
- Endpoint Security (1)
- Event (1)
- Legal Industry (1)
- Manufacturing Industry (1)
- Multi-factor Authentication (1)
- Security Risk Assessment (1)
- Threat Intel (1)
- Zero-Day (1)