Threat Detection is a notoriously difficult problem that most security organizations continue to struggle with. Despite a myriad of tools, 24/7 SOCs, and millions spent on services, the average time to detect a breach is 146 days. Worse, many indicators point to the problem growing in scale. Clearly, we need a new pragmatic approach to tackle this challenge.

Analogous with Continuous Integration and Delivery

Not long ago software development faced a similar challenge. At a time when business users required application updates to be delivered with increasing speed, code was getting increasingly complex, and as a result increasingly buggy. Continuous Integration and Delivery (CICD) has helped deliver software with agility, speed, and quality.

It is time we applied the same concepts to cyber security, in the form of Continuous Threat Detection.
Let’s examine the similarities.

Threat Detection is akin to finding software bugs. Bugs are when things don’t work as expected. Breaches and threats are activities that should not be occurring but they are.

Software changes very often. So does IT infrastructure that supports the business. If things were static, the problem of detection (bugs or threats) would be much easier. But we live in a world where software and IT is dynamic. Agility is a must-have business requirement and a competitive weapon, so there is no escaping from this.

Levels of Maturity

There are many parallels between the maturity levels of different software organizations at finding bugs and that of security organizations at finding threats. These are the typical five levels:

     1. Blissfully oblivious

  • Developers say: My code has no bugs. I rarely test my code, but when I do, I test it in production.
  • Security Teams say: We are doing great. Since we have not detected any attacks recently, we feel pretty good about our security posture and preparedness.

     2. Aware but severely constrained

  • Developers: We should be testing, but really we do not have the time to do that. I did some basic testing, and all seems ok.
  • Security Teams: I know we should be looking at things, and we really have no threat visibility. But we have so many things to do, I am not sure we will even get to it this year.

     3. Aware and on a journey

  • Developers: We should be testing, and we do have a QA team that does this testing.
  • Security Teams: We should be monitoring, and we do. We have a team of analysts that triages these alerts and we respond and remediate if we find signs of high risk activity.

     4. Implemented best practices

  • Developers: We believe in testing, and are conducting a blend of manual testing and automated testing. Also, we do continuous integration - with a suite of unit tests and integration tests. Heck, we even have automated performance tests.
  • SecOps: We believe in data. Heck, we have a data science team that proactively digs for threats in our data. Also, we have processes in place to conduct regular pen tests, and we fix what we find proactively.

     5. Exceptional

  • Developers: We conduct Test Driven Development. We do code reviews. We do manual testing, but we constantly automate tests. We have metrics, e.g. code coverage, and we are constantly using those metrics to improve quality.
  • SecOps: We conduct peer reviews. We automate detection and response. We know what our False Positive rates are, and we even measure mean time to detect; and we work on improving those continuously.

Threat Detection - Levels of Automation

     Looking at the levels of sophistication amongst software teams and how they test, it falls into                 the following buckets:

  • Not much
  • Some times to check a box
  • Manually
  • Manually plus automated and scheduled
  • Continuously

     Compare this to the sophistication buckets of SecOps teams with threat detection:

  • Not much
  • Compliance: Minimum to check a box
  • SOC teams that do alert triage manually
  • SOC teams that do leverage some automation
  • SOC teams that conduct continuous threat detection

Automation is picking up speed, but very very few SOC teams have evolved to continuous threat detection today. So, what exactly is Continuous Threat Detection? There are two key dimensions along which you can measure and assess the level you are at. Those two metrics are:

1. Effectiveness - How likely are you to find an attack or a breach if it were to happen?
2. MTTI - Mean time to identify - Is it hours, days, weeks or months?

“Continuous” means the MTTI averages in hours or minutes. If it takes days and weeks, it may be proactive, but definitely not continuous. Given this, why then is MTTI several months on average?

Big Data Is A Problem

Automating threat detection is very difficult and a lot of work. There is a lot of data that you can collect, for many teams this is in terabytes of data every day. Yet more data just means more noise. Precisely because there is so much data, very important threat signals get drowned in this sea of log events and alerts.

Constantly changing threat landscape

IT infrastructure is dynamic. Configuration changes occur at breathtaking pace, new applications are launched every week. Threats evolve rapidly as well with increasing sophistication. And the pace of change is only speeding up. If the security teams cannot keep pace with the changing landscape, it opens up a much greater attack surface for a skilled adversary to exploit.

Smart Adaptive Adversaries

As a SecOps team you are very often trying to detect things that someone very skilled is trying to make undetectable. It is a cat and mouse game. Are your detection teams better than the evasion techniques that hackers employ? Is your automation better than the automation that hackers employ? Are you sharing intelligence with your peers better than the hackers do?

In development you are arguably only facing two of the above challenges. Developers typically are not trying to intentionally create bugs that are hard to find. Attackers, on the other hand, are trying to go unnoticed all the time.

Continuous Threat Detection

I believe the only way out of this is if we can effectively understand what our data is telling us at scale. This means we need to build intelligent systems that can separate what's expected and low risk from what's unexpected and/or high risk with great effectiveness and speed, in an ever changing and expanding IT landscape. And that is “Continuous Threat Detection”. It needs to be one of the ultimate goals of security automation.

It is going to be a long road, but it is the only viable solution to continuously missed breaches.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More