Page 73 - Cyber Warnings
P. 73
practitioner. This enormous false positive problem creates “analysis paralysis” for the average
security team and consumes cycle for triage and research.
Second, since these systems inherently can only detect “known” malware, they are unable to
detect new attacks, new malware variants, and the infamous “zero day” attacks. Given the
growing volume of malware variants targeting individual organizations, this is an enormous
security loophole exposing significant “false negative” risks.
Last, since these systems are built to identify malware (hashes, signature, et al) and its
manifestations (file activity, C&C domains, et al), they are fundamentally incapable of detecting
attacks that don’t employ malware, like insider attacks, credential attacks, or those stages of
external attacks that don’t employ malware. This an enormous blind spot for security teams.
In order to realize “operational efficiency in security operations” that is meaningful and
measurable, we as an industry must deliver tools that overcome these serious shortcomings.
We need to focus on the two operational metrics that are most important to security operators:
efficiency (volume of alerts) and accuracy (usefulness of alerts). We need systems that can
solve the false negative and positive problems, and eliminate the blind spot around credential-
based attacks. We need new systems that employ machine learning to complement the “known
bad” models with new “learned good” models that aren’t susceptible to the same alert accuracy
and efficiency problems. Security vendors must step up and take responsibility for delivering
products that demonstrate operational success, and publish operational metrics that
substantiate those claims. The industry can no longer afford to hide behind marketing fluff and
hyperbolic claims. As one CISO recently put it, “We need tools that can slap us across the face
and tell us what’s going on. We don’t have time to go looking for security events.”
About the Author
David Thompson, Senior Director of Product Management,
LightCyber
David Thompson serves as the Senior Director of Product
Management for LightCyber, responsible for assessing customer and
market requirements, conducting sales and channel training and
enablement, market education, and overall solution definition. He has
been with LightCyber since late 2014.
Mr. Thompson has over 15 years of experience focused on information security. Prior to joining
LightCyber, he served in Product Management leadership positions for OpenDNS, iPass,
Websense, and Voltage Security (now HP). Prior to running product management at Voltage
Security, Mr. Thompson was a Program Director at Meta Group (now Gartner) responsible for
security research topics including encryption, PKI, remote access, and secure network design.
Mr. Thompson holds a bachelors of science in Physics from Yale University.
73 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
