Breaking Through Alert Noise to Stop Cyberattacks Before They Become Breaches

October 27, 2022
Aaron Turner
Vice President, SaaS Posture
Breaking Through Alert Noise to Stop Cyberattacks Before They Become Breaches

In the mid 2000s, I was fortunate to get an invitation to join one of the U.S. Government's leading cybersecurity research groups at the Department of Energy's Idaho National Laboratory (INL). While I was there, I had unique opportunities to collaborate with a wide variety of intelligence, military and private sector cyber experts. Some of my best memories from the time I spent at INL were the knowledge transfer workshops that we ran — one in particular stands out. 

We invited a group of U.S. military special operations soldiers to get cyber security and technical forensics training. The training included how to help troops in hostile locations protect their digital systems, minimize electronic footprints, how to recognize valuable enemy systems, safely confiscate them and get them to experts in order to analyze the contents of those devices.

Security alert noise — it's all a big distraction.

During one of the sessions, I was talking with a special forces officer and asked him — what the top three keys to running a successful operation were? The first two answers were typical — have a good team, make sure your equipment is the absolute best possible — but the third surprised me. He said in his southern drawl, “always carry a bag of dead varmints.” 

Now, for those who may not be native English speakers and familiar with rural U.S. dialects, a varmint is usually a small animal that is often considered a pest. Mice, rats, toads, magpies — all of these would easily be classified as a ‘varmint.’ I sat back and processed his comment for a minute and then had to ask, “what in the world does a bag of dead creatures have to do with a successful special ops mission?” 

With a twinkle in his eye, he leaned forward and lowered his voice like he was sharing the most-valuable secret of his craft and explained how a bag of dead small animals was vitally important for causing fatigue among guards protecting their mission objective. I still did not get it. Sort of exasperated now, he leaned back and said, “if you've got a guard who has to respond to every alert that a motion sensor puts out, they get tired of responding.” He went on:  

“Let's say that a high-security facility has an electric fence and motion sensors, you throw a dead rat at the fence, it triggers an alarm, the soldier walks out, sees the dead rat, shakes his head and goes back to his post. Then a few minutes or hours later, you throw another animal at the fence, the guard comes out, looks at the dead animal, shakes his head and goes back to his monitoring post. A bit later you take another varmint from your sack and you throw it at the same place again. Most lower-level guards are going to get tired of looking at essentially false alarms and by the third or fourth time, they're not going to come out looking again. Once you have sensed that the guards are fatigued, then you run the real attack against that same spot you've been throwing dead animals. Sometimes you can get up to a 10-minute advantage over guards because they won't respond to yet another alarm at that location, and those 10 minutes can mean the difference between mission success and failure.” 

After this explanation, I then understood why this special operator prioritized his bag of dead animals. I immediately thought about the role of a Security Operations Center (SOC) analyst and how fatigue impacts their response to alerts and alarms. Once an analyst has responded multiple times to what is perceived as a false alarm, they usually build scripts to automate the de-prioritization or re-classification of those alerts. Sophisticated cyber attackers will practice similar tactics, where they will create noise so a SOC team responds, which leads them to a dead end that desensitizes them to certain alerts. Then, they run the real operation once they believe that the cybersecurity team will not respond as quickly or effectively if they had run the actual hack in the first place. 

Enough noise. Think like an attacker.  

Vectra's approach to cybersecurity is built to help security teams think like an attacker, know what is malicious and focus on the urgent. When security teams are fatigued, their perception of attacks can fundamentally change the way they defend critical systems. Using the best artificial intelligence available in cybersecurity, Vectra's technology does not suffer from fatigue like human analysts do. Vectra's technology can perform rapid metadata analysis to determine the context of a false alarm from the artifacts associated with an actual attack. This ability to amplify the signals associated with actual attacks and dampen the noise that distracts SOC teams is what makes Vectra different from all other cybersecurity platforms. 

As organizations have embarked on their journey to the cloud, transitioning many parts of their technology infrastructure beyond traditional datacenter-centric security controls, they have exponentially increased their attack surface. Oftentimes this increased complexity makes it nearly impossible for a human to perceive all the new attack paths that have been created within the complexity of a hybrid environment. Very few organizations will ever become cloud native with their entire IT infrastructure, and in a forever-hybrid world, only Vectra provides security teams with the ability to detect and respond across cloud, SaaS, identity providers and on-premises systems to reduce alert noise, amplify detection efficiency, investigate and respond to attacks before they become breaches.  

Vectra provides complete attack surface coverage, signal clarity and intelligent control to facilitate threat hunting and investigation in ways that point solutions cannot provide. As I think about my multi-decade journey through different roles in the cybersecurity community, Vectra's vision for how to approach augmenting human perception of cyberattacks with machine learning is unique, and one of the few that has provided me with hope that defenders can stay ahead of attackers. As we deliver on Vectra's unique AI capabilities, the Vectra team is also developing unique capabilities to help prioritize attack surface management through automation and machine learning to decrease the time that misconfigurations can leave organizations vulnerable to attack, further decreasing the likelihood of a breach. 

I'm proud to be part of the Vectra team to help make this vision a reality. With Security AI-driven Attack Signal Intelligence, Vectra can help defenders reduce the distracting noise and help them zero in on the attacks that matter at a much faster pace than any other security platform on the market today. 

See how Vectra Attack Signal Intelligence empowers security teams who utilize the Vectra Threat Detection and Response platform.