For fans of The Rocky Horror Picture Show, the phrase ‘time is fleeting’ can forever only be heard in the dulcet tones of Richard O’Brien. And as one such fan, as I started to write this article, it immediately stuck as today’s earworm (if this is also now you, you’re welcome). Time is something we talk about a lot in the security industry – dwell time, time to detect, time to investigate, time to respond, where on earth did the time go? Time is our most valued commodity, and yet we never seem to have enough of it. Where we spend our time matters a great deal, and we are constantly being measured against the clock. Throughout this article, time will certainly feature a good amount, with the goal to help your organisation find ways of clawing back those precious hours so that your security operations team can better focus their expertise.
The enemy of the SOC: ghost chasing
False positives have been the bane of the security industry since, well, the beginning of the security industry. Something that looks, smells, and even tastes bad can result in being benign. Whether caused by some messy code, incomplete threat intelligence information, or a misdetection by a security vendor, false positives can be incredibly time-consuming, not to mention costly.
SOC (Security Operations Centre) analysts know this only too well. Hours and even days can be lost chasing such ghosts, whilst alerts and investigations continue to grow in the seemingly endless work queue. A single over-enthusiastic anti-virus detection or a loose SIEM correlation rule alert requires the same due diligence as a real attack, and in some cases can be harder to prove. Ruling out such an event as being a misfire requires a high level of certainty, and arguably bravery, on the part of the analyst. Should it be found to be a true positive later, the outcomes are often not bright…Click here to read full article.