images
figures
Blog

Stop Thinking Detection. Think Correlation

Guest Writer
21.02.2021
image 3 Min read
Cloud Workload Protection

Let’s start with the tricky truth: the problem with stopping data breaches is not about detection. We’ve seen this time and time again at GlobalDots, where we partner with security providers and customers alike to consult and provide security solutions to the new and evolving threats in the cloud.

Modern security systems detect a lot. In fact, they probably even detect too much: according to study by IT security firm Bricata, the average SOC receives over 10,000 alerts each day from an ever-growing array of monitoring and detection products. This has inevitably led to what is known as “alert fatigue”. So clearly, not enough detection is hardly the issue.

Context is King

An individual examination of each alert tells you almost nothing. Nearly every log can either be legitimate or illegitimate, depending on the context in which it is created.

Consider the following activities. Looking at each one out of context, could you tell the legitimate from the illegitimate ones?

  • A system administrator logging from an unusual location. Is it because they are working on something urgent from their vacation, or because their credentials have been stolen by hackers from Eastern Europe?
  • A user accessing the network outside of business hours. Is that because they have an emergency at work, or are these hackers trying to go unnoticed?
  • A DevOps engineer invoking an API call which they have never used before for the first time. Are they rolling out a new product version, or is it a hacker attempting lateral expansion within your network?
  • A database administrator accessing a cloud-based storage bucket and exporting all the data for it. Is it part of their job, or has someone just stolen your entire user database?

The answer is, of course, no.

How Attackers Fly Under Your Radar

Working closely with security partners and analyzing data breaches, we’ve learned that in most cases, the malicious activities were indeed identified in time, but at the same time flew under the radar.

Here are some possible reasons:

  • Alert overload: security managers are simply flooded with so many alerts that they don’t have time to analyze the majority of them. As a result, important events get lost in the noise.
  • Low-risk alerts: many activities that make up a data breach are not high-risk, high-impact, but rather mundane actions with a low-risk assigned to them. As a result, they are frequently overlooked.
  • Lack of context: looking at each standalone activity, independently of other activities, cannot reveal the intent behind it, and whether it is cause for concern.
  • Stretching over time: data breach incidents frequently take weeks and months to unfold. Logs come in at such a high rate on a daily basis that it is impossible to remember another alert from several weeks ago, and associate individual activities.

As a result, any means of trying to manually analyze alerts and put them in context in order to identify malicious activity is bound to fail.

Detection is Important; Correlation is Crucial

Correlation is the process of taking independent, seemingly-unrelated events, and correlating them across threat surfaces, resources, and time frames.

Think back of the list of example activities we listed earlier: On its own, each event was meaningless; we could not discern the intent behind it.

But consider the following chain of events:

  1. A user connects from a remote location, at an unusual time outside of business hours.
  2. A few days later, the same user invokes for the first time an API call to list all privileges of the user.
  3. Over a few weeks, the user performs a series of connections to multiple storage buckets holding sensitive information.
  4. The user downloads data from a storage bucket to a location outside of the network.

Looking at these events in a linked chain of events looks very different than just analyzing each event individually, doesn’t it?

This is why correlation is so important: it allows you to identify a data breach in its entirety, not just the individual events that are part of it. It also helps prioritize a real attack from all the noise traditional security systems typically generate.

This is why automatic, AI-based correlation is such a crucial component of cybersecurity, and one that can make the difference between stopping a breach in time, or reading about it in the news.

Comments

0 comments

There’s more to see

slider item
Cloud Workload Protection
Demo: Inside Radware’s Cloud Native Protector
Steven Puddephatt 11.10.21

How many of your users’ cloud permissions are actually necessary? How do you prevent excessive permissions from enabling workload breaches? Can there be one source of truth for vulnerabilities in multi-cloud environments? And how hard is auto-hardening? This demo is all about answering these questions. Watch GlobalDots solutions engineer Steven Puddephatt break down the basics […]

Read more
slider item
Cloud Workload Protection
Solution Brief: Agentless Cloud Workload Protection
Admin Globaldots 13.04.21

Explore the main features, capabilities, and benefits of the latest cloud workload protectors. This category of products is meant to safeguard the organizational public cloud environment by: Removing excessive permissions Creating attack stories out of anomalies across different apps and workloads Auto-hardening upon suspicious incidents Fill out the form to get your copy of the […]

Read more
slider item
Cloud Workload Protection
Cloud Workload Protection: Top 4 Vendors Compared & Evaluation Criteria
Steven Puddephatt 07.04.21

Recent reports show that overall enterprise use of cloud services spiked by 50% due to work from home mandates caused by the pandemic. This rush has led to an increase in cloud-native security risks, such as publicly-exposed API keys and resources and excessive permissions. Problem is, alert overflow and lack of context to the alerts […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure

Don’t Fortify. Amplify | Cloud Security Reimagined