How Security Teams Eliminate Risk Acceptance with MDR

Recent data shows that 83 percent of IT security professionals are feeling more overworked in 2020 than in 2019, and 82 percent felt that their teams were understaffed.

Critical Start’s own research on the impact of security alert overload revealed more than 75% of survey respondents reported a SOC analyst turnover rate of more than 10% for their security operations centers.

At the same time, current global events (such as the COVID-19 outbreak) are driving an unprecedented number of people to work, shop, and conduct the majority of their financial business at home. Now add in forecasts suggesting that companies can expect an almost 30 percent chance of a data breach within the next two years.

All of these pressures are creating a crucible of increasing security threats with insufficient resources to deal with them, driving a new urgency to rethink the protection and mitigation strategies of the past.

Proactive Incident Response Planning Is Crucial to Security Posture

Forming an incident response (IR) team and a proactive incident response plan are some of the key strategies successful companies are employing to protect against the asymmetric threats of the future.

Ponemon’s findings reinforced the validity of this approach, demonstrating that the formation of an IR team could lower the total cost of a data breach by an average $360,000, while an IR plan could reduce the total cost of a data breach by an average $320,000.

Many organizations are incorporating Managed Detection and Response (MDR) services and partnering with a security firm that uses the organization’s own tools, threat identification strategies, and procedures to proactively handle a cyberattack before serious damage can occur.

Prioritizing Security Alerts Is a Recipe for Fatigue

The legacy concept of digital security is one based on prioritizing alerts to take the stress off of overworked security teams, whether internal or provided through managed services.

But this approach no longer works for a simple reason: Due to alert fatigue and a desire for efficiency, high-priority alerts are what get noticed.

Calculate your risk acceptance here >

Ignoring Lower-Priority Threats Increases Your Risk of Being Breached

Lower alert levels are often ignored to keep the team focused on what is perceived to be the real threat. In some cases, detection logic will actually be disabled by companies to stay focused on these high-priority alerts.

But by the time an alert is highlighting a high-priority issue, it’s usually due to the fact that something has already been working behind the scenes to cause significant damage.

And that something was most likely already identified through a lower priority alert that was never escalated.

Case study: The 2008 Kraken Botnet

The Kraken botnet from 2008 is a great example of the extreme vulnerability that comes from ignoring low-priority alerts. Kraken works this way:

  • An endpoint receives a suspicious file, where it’s unable to match a signature – but it’s still a low-priority alert that is often ignored.
  • A connection is made to mx.google.com from the endpoint. It’s connecting to a legitimate website, but one to which infected hosts have connected in the past, raising its risk reputation.
  • Another low-priority alert is added to an extensive mix of others, still not drawing much attention.
  • The endpoint connects to several popular news sites and downloads the front page of each. The infected endpoint has now confirmed network connectivity through a low-profile, seemingly legitimate activity.
  • The endpoint then looks for other bots by searching randomly generated URIs based on dynamic DNS domains.
  • The quick succession of failed DNS queries is followed by a successful one. This might finally generate some visibility as a threat, but by now the infected bot has connected to another bot and downloaded a payload with no traffic traversing the IPS, since it is not communicating outside of the organization.
  • At this point with a legacy approach, maybe there’s threat escalation, but maybe not.

Now, this is an example of a cyber threat that has existed for over a decade. If the traditional threat and escalation models can miss this threat, what will they do with the ever-more-sophisticated attacks they’re facing today?

Managed Detection & Response Technology Reduces the Strain on Your Security Team

Meeting a low-priority alert/high actual threat environment requires that security teams adopt a zero-trust approach to incoming alerts: Every alert should be treated equally, and every alert is guilty until proven otherwise.

This means that alerts should not be prioritized from the top down, and an organization cannot simply rely on an anti-virus vendor to tell them what’s important.

MDR Eliminates Security Risk Acceptance

By employing the right team and using the appropriate MDR platform, every alert can be handled as efficiently and transparently as possible. Adopting this approach eliminates alert fatigue and the resultant risk acceptance that comes with it.

MDR teams accomplish this by working with clients to review every alert and decide its level of normalcy.

Calculate your risk acceptance here >

Building a Trusted Behavior Registry to Remove False-Positives

As an example, let’s say a user runs powershell.exe and runs a script. The client informs the MDR team that this is a normal behavior for a specific user.

Over time, this type of information is used to build out a Trusted Behavior Registry (TBR) that prevents any such future alerts from triggering a false-positive in the future.

But if a different user executes this same action, even if it is considered a lower-priority alert, now it comes under scrutiny because this action is outside of the safe behavior identified in the registry.

This is how to keep from getting bogged down by alert fatigue while still keeping watch over the medium, low, or even informational alerts that could be hiding a serious threat.

Improving Incident Response Time with MDR

And with an MDR team ready to take action on behalf of their client, response time shrinks and an attacker has less time to move around within the system.

Affected devices or accounts can be quarantined, and an attack can be traced back to the root cause so that the originally comprised vulnerability, such as a password, can be corrected.

Once the threat is stopped, a full report can be prepared for the client, including details on how access was gained right through how it was ultimately shut down.

Contact Critical Start’s MDR Experts Today

The cost of security mistakes is too high in today’s world. But with an alert strategy that treats the seemingly insignificant as the true threat it could possibly become, and by employing MDR to ensure that threat does not get far past its starting point, any potential cost can be mitigated.

Organizations can finally have the peace of mind that they are staying ahead of the ever-evolving threats in the world around them, and that can be invaluable.

Contact us today to learn how we can help ease the burden of alert overload for your company’s security team.


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Tactics to Mitigate Security Gaps in Modern Threat Response. Upcoming Webinar - October 15.
This is default text for notification bar