In today’s hyper-distributed security environment, organizations have to assume their environments are already breached or will be breached. The only way to stay secure in this new world is to reduce the amount of time we let attackers dwell within our environments.
What if we could have a system that traces the attackers path in real-time, allowing us to mitigate threats when and as they are happening, and ultimately reduce dwell time to zero?
Dwell time signifies how long an adversary has been in your environment without being detected. Today, the average undetected dwell time is 60 days. While the average undetected dwell time is dropping each year, an average measured in months is still far too long to be considered acceptable. Two months is more than enough time for an adversary to create a multitude of undetected vectors into the network, compromise centralized authentication, and exfiltrate sensitive data or hold it for ransom.
Even with the enormous amount of innovation and investment in the cybersecurity space, there is no security product that can fully track the attacker’s behavior in real-time. At best, what today’s solutions are doing is generating alerts for suspicious events pushing them on analysts to create full attack stories through manual investigations, which can take hours to days.
The reality for most security teams is that lurking in the vast ocean of events are but a few hidden threats - and it takes an enormous amount of data wrangling to properly investigate each alert. With the amount of telemetry collected from EDR, NDR and SIEM platforms reaching terabytes, it's unrealistic - and dangerous - to expect highly skilled analysts to wrangle this much data every day.
The era of SIEM rules alerting on anomalies or EDR flagging suspicious behaviors followed by manual investigating IS OVER. We are seeing a new breed of adversaries, who are skilled and stealthy - and who too easily hide in the complexity of your environment.
We need a new approach.
Consider this: What if you had machines that could 1) investigate; 2) identify ground truth and causality; and 3) tell you pre-investigated storylines of what’s happening?
You could then move your highly skilled security analysts to focus on these stories and let them do what they do best: decide on the risk associated with a storyline and respond in real-time.
And let the machines do the data wrangling.
"I finally started to believe that the elimination of alert fatigue was actually possible."
~ Mike Viscuso explains the benefits for SOC teams that transition to autonomous threat hunting.