Noise Is the Problem — CrowdScore Is the Solution

August 08, 2019

| | Endpoint Security & XDR
Sometimes we humans are faced with problems so pervasive and persistent that it is difficult to even recognize them as problems. We assume the situation cannot be improved and simply fail to seek a remedy. Such is the state of our industry with respect to detecting threats. Detection is hard for the same reason that diagnosing rare diseases is hard. Breaches are something we must diagnose — we must detect — just like a disease.

Diagnosing a Rare Disease

When a patient comes to a doctor with symptoms, the doctor develops a hypothesis about what disease the patient might be suffering from and administers a diagnostic — a test to determine whether the patient actually has the disease. However, it’s at this point that a fundamental and often unintuitive statistical law rears its head. Suppose this is a disease that affects one out of every 1,000 individuals and that the test we administer is 99 percent accurate. That means the test is wrong one percent of the time. Intuitively, if a randomly selected individual tests positive for the disease, we might conclude that the person has the disease with 99 percent probability. But that intuition is wrong because the population of healthy people is significantly larger than those that have the disease. It turns out that the chance of a patient with a positive test result actually having the disease is only about nine percent. This is not a simple or intuitive concept, so a youtube video with graphical illustrations might be helpful.

InfoSec Percentages Are Even Smaller

In information security, the percentages we are dealing with are mind-bogglingly small, much smaller than in the rare disease example above. It may be difficult to measure (CrowdStrike® does have enough data for a reasonable estimate), but the chances that any given endpoint is actually under attack at some point during a one-week period is closer to one in a million. These numbers mean that Bayes' theorem — as explained in the YouTube video mentioned above — heavily impacts our industry. The rarer the disease and the more diagnostics there are that need to be evaluated, the more human resources — skilled analysts in our case — are needed to ensure we identify all patients that suffer from the disease. The high volume of noise is what drives the high demand for skilled analysts, which is a significant, contributing factor to the skills gap that plagues the practice of information security.

Alert Fatigue Is Prevalent — Solutions Are Not

Regardless of the security product, analysts are faced with a never-ending conveyor belt of alerts. It is unreasonable to expect human analysts to maintain a constant, high level of focus and attention when faced with long periods of boredom punctuated by occasional crises. In order to address this, security products generally assign some kind of confidence or severity score to each type of alert to provide some metric for prioritizing alerts. In addition, some vendors have knobs to "tune" their products. Tuning removes types of alerts that add particularly large amounts of noise in a production environment, often necessary because the added noise exceeds the triage capacity of the available analyst resources. Seen clearly, however, wholesale removal of alerts is an admission that the product will not work as well in the messy, noisy real world as it seemed to in the test lab or limited test deployments. At most, whatever tuning there is should improve the performance of the product at the margins, not be required to make the product usable.

CrowdScore Offers a Revolutionary New Approach

But for any product available today, the analyst is still faced with discrete alerts, each with a confidence level that does not provide much prioritization value. Consider that the confidence assignments have to be made without any information available from the context in which they eventually occur. Instead, the analyst must put effort into understanding that context in order to make a final judgement about each alert occurrence. What is needed is a solution that removes the rote repetition of the SOC analysts' tasks. What would such a solution look like?

 

Such a solution would:
  • Gather all relevant telemetry and indicators for the analyst
  • Accurately estimate whether the data represents malicious activity
  • Accurately estimate whether the organization faces a multi-pronged attack
  • Incorporate customer-developed alerts in estimates of malicious activity
  • Improve with the addition of "weak indicators" without the need for tuning
CrowdScore™ is a new capability in the Falcon platform that turns data into actionable insights for CxOs, security analysts and investigators, dramatically reducing the time required to understand and respond to cyber threats. CrowdScore represents a quantum leap away from a world of triaging alerts individually and toward a holistic picture of threats, replete with all available relevant indicator data and telemetry that relates to the potential threat. CrowdScore aggregates all of the relevant data for a threat into a new interface element we refer to as an incident. Incidents are ranked by CrowdScore with much higher granularity than the confidence values assigned to individual alerts. And the incident ranking is based on an analysis of all of the contextual data compromising an incident. That context is very data-rich compared to the limited amount of information available based on individual alert definitions themselves. Incidents have a time span associated with them, as opposed to being simple, instantaneous events without accompanying contextual information. Incidents can be replayed, visually depicting the unfolding of the incident activity, providing the analyst with an intuitive understanding of the time component of an incident. CrowdScore also identifies likely occurrences of lateral movement. It is hard to detail all of the benefits that come with this fundamentally new approach. But what underlies all of the other benefits is the ability to combine and weigh the evidence related to potentially malicious activity. Our data shows a 10- to 25-fold improvement in the ability to accurately distinguish between malicious and benign behavior.

CrowdScore Will Continue to Evolve

What I have outlined here is just the beginning. Rather than requiring more tuning as new patterns of malicious behavior are introduced to the product (with the attendant increase in missed attacks), CrowdScore actually improves with the development and the addition of new indicators of attack

 

(IOAs)
. And CrowdScore can incorporate custom, user-developed IOAs just as easily as IOAs that come with the CrowdStrike Falcon®® platform. CrowdScore represents a truly significant departure from the status quo. We've only scratched the surface — watch this space as we explore more of the advantages CrowdScore delivers.

Additional Resources