Event anomalies can be an indicator of attack, but they can also rather commonly just be an IT problem too…
The Incident Response Report published today by F-Secure and summarising it’s own investigations, shines light on both attack methodologies and corporate attack reporting. Email inboxes, via the dual whammy of phishing and malicious attachments, are the most common source of breaches (34 percent combined.) The single biggest attack source was the exploitation of Internet-facing service vulnerabilities (21 percent.) Neither of which are exactly surprising statistics to be honest.
That 13 percent of the reported incidents investigated by F-Secure turned out to be false alarms is, perhaps, more so.
The number of such false alarms certainly took Tom Van de Wiele, F-Secure’s principal security consultant, by surprise and reveals an enterprise struggle with detecting what is and isn’t an attack. “Sometimes we’ll investigate and discover an IT problem rather than an attack” Van de Wiele says “which drains resources and distracts everyone from dealing with the real issue.”
The headline alone is worth its weight in bitcoin.
Sadly, I cannot accept the credit for coming up with that. It was all the work of the creative cybersec mind that is Ian Trump. I spoke to Ian about the story, and quoted him within it; the headline was pulled straight out of that conversation. I do, however, agree that it is a blinder!!!
Isn’t dealing with these false positives where AI enters the security response equation?
AI, or more correctly ML, certainly has a role to play in filtering such alerts. Indeed, it is already playing a part in that role but it is only a matter of filtering so as to be able to send less false positives to the incident response team.