Schedule a Demo

The “One Size Fits All” Approach – 10 Things I Hate About Cybersecurity: A Love Story

Picture of Pareto Cyber

Pareto Cyber

Cyber threats are real

Schedule a Demo

Subscribe newsletter

Hi! I am Nick Gipson, the Director of Cyber Operations here at Pareto Cyber. This is Part 4 of my 10-Part series on “10 Things I Hate About Cybersecurity: A Love Story” where I dissect the problems within this industry and my personal encounters with them. You can find the other parts of this series here.

The Issue

Some Managed Security Service Providers (MSSP) and Security Information and Event Management (SIEM) vendors set up tools so poorly they may as well install nothing at all.

The point of Cybersecurity software is to provide useful information for handling Cybersecurity threats. It seems obvious, yet somehow that’s not always the case. Some MSSPs and SIEM vendors install a security tool for their client and then don’t configure or tune that tool for the client’s environment in any shape or form.

Why It Matters

Generic alert content doesn’t work.

What such a set-up does is create countless false positives in security reports. Since the client’s specific environment is not taken into account during installation, the alerts are vague, general, and often downright ridiculous.

For example, I’ve recently spoken with a prospective client who got burned by this approach. They had purchased a security tool and started running it with just the base alert system without any additional configuration. After 90 days, they received… more than 500,000 security alerts. Every single one was a false positive.

Since they never set up their software, the tool was generating a security alert for literally any “.exe” file on a main Windows file path. Not particularly helpful.

As a result, their security team got so overwhelmed by all these false positive alerts that they stopped looking at most of the rules. Out of the 2000 security rules they’ve set up, they are currently only looking at 1.

What Can We Do?

To see the true activity going on, you need to customize these reporting tools to your environment. 

When setting up software, use case assessments against your known network activity and topology. At Pareto Cyber, we usually set up rules in batches: 

  • Start with the top 5 rules triggering most frequently and configure them to deliver the information you want. 
  • Once those are set up, configure the next 5 rules. 
  • Work down the list as much as desired.

Typically, fixing this type of issue is extremely easy. I’ve found that only one simple misconfiguration tends to trigger crazy amounts of alerts, so once that one rule is configured properly the false positive rate should go down significantly.

Share

Related Articles

Cyber
Hygiene
Engineer
  • Responsible for data analysis and interpretation of required hygiene data sources; Vulnerability, Identity, Patching, Device Management, Cloud, and Networking. The role of the Cyber Hygiene Engineer is to provide prioritization of risks identified in the environment. Their overall goal is to rapidly reduce client risk related to Cyber Hygiene gaps.
Threat Hunters
& Red /
Purple Team
  • A cross-functional operations and engineering team responsible for developing threat use cases based on the technologies deployed and operations within a client. Our Threat Hunters are using the latest intel technologies to understand threat actor groups and motives targeting clients and provide use cases for SIEM implementation. Then our Red/Purple team provides our hunters and platform engineers with the latest tactics being used to help clients stay ahead of the latest threats.
Strategic
Cyber
Risk Advisor
  • Our Cyber Risk Advisors are focused on analyzing data integrated and correlated within the Cylemetry platform. This analysis allows our CRAs to provide clients with strategic and tactical recommendations on reducing overall cyber risks.
Customer
Success
  • Responsible for ensure all Pareto teams are meeting client expectations, service level agreements, and taking overall feedback for service improvement.
Platform
Engineer
  • Responsible for installation, configuration, and continuous improvement of client and Pareto support technologies used during service operations. Additionally, Platform Engineers provide content development, log source tuning, and security solution tuning support.
IR
Engineer
  • Responsible for using digital technologies available to assess total risk exposure of an incident / breach, provide in-depth Eradication, Remediation, Recovery, and Root Cause Analysis (RCA) services for clients that experience a successful attack.
Threat
Intel
Analyst
  • Collect, Process, Analyze and Report on enterprise and open-source threat intelligence to track threat actors, malware strains, or phishing campaigns that may affect our clients and their industry.
Threat
Detection
Analyst
  • Responsible for management of security alerts within security technologies, internal escalation of alerts to events or incidents, development of threat reports, threat surface analysis, and support of IR Engineering, Threat Intel, and Platform Engineering.
Threat
Detection
Lead
  • Accountable for daily operations, such as Threat Escalation Management, Remediation Approval, Service Level Agreements, Customer Communications, and Root Cause Analysis.
Penetration
Tester
  • Works alongside the Threat Hunter and Threat Intelligence Analyst to build and test SIEM alert rule content, based on the newest adversary tactics.
Threat
Hunter
  • Performs prescribed threat searches within the client’s environment, reporting any findings. This skill is also considered the SME of internal client IT operations and can determine legitimate client network traffic.