Hi! I am Nick Gipson, the Director of Cyber Operations here at Pareto Cyber. This is Part 4 of my 10-Part series on “10 Things I Hate About Cybersecurity: A Love Story” where I dissect the problems within this industry and my personal encounters with them. You can find the other parts of this series here.
The Issue
Some Managed Security Service Providers (MSSP) and Security Information and Event Management (SIEM) vendors set up tools so poorly they may as well install nothing at all.
The point of Cybersecurity software is to provide useful information for handling Cybersecurity threats. It seems obvious, yet somehow that’s not always the case. Some MSSPs and SIEM vendors install a security tool for their client and then don’t configure or tune that tool for the client’s environment in any shape or form.
Why It Matters
Generic alert content doesn’t work.
What such a set-up does is create countless false positives in security reports. Since the client’s specific environment is not taken into account during installation, the alerts are vague, general, and often downright ridiculous.
For example, I’ve recently spoken with a prospective client who got burned by this approach. They had purchased a security tool and started running it with just the base alert system without any additional configuration. After 90 days, they received… more than 500,000 security alerts. Every single one was a false positive.
Since they never set up their software, the tool was generating a security alert for literally any “.exe” file on a main Windows file path. Not particularly helpful.
As a result, their security team got so overwhelmed by all these false positive alerts that they stopped looking at most of the rules. Out of the 2000 security rules they’ve set up, they are currently only looking at 1.
What Can We Do?
To see the true activity going on, you need to customize these reporting tools to your environment.
When setting up software, use case assessments against your known network activity and topology. At Pareto Cyber, we usually set up rules in batches:
- Start with the top 5 rules triggering most frequently and configure them to deliver the information you want.
- Once those are set up, configure the next 5 rules.
- Work down the list as much as desired.
Typically, fixing this type of issue is extremely easy. I’ve found that only one simple misconfiguration tends to trigger crazy amounts of alerts, so once that one rule is configured properly the false positive rate should go down significantly.