Brand
Enterprise SecurityIntelligent TechnologyTop Stories

False negative vs. false positive: how can Next-generation SIEM help?

False negative vs. false positive: how can Next-generation SIEM help?

Ross Brewer, VP and MD EMEA at LogRhythm, says technology such as Artificial Intelligence can advance the science of threat detection

There is no doubt modern-day hackers are able to evade the preventative and detective measures of both new and old security infrastructures. However, as Ross Brewer, VP and MD EMEA at LogRhythm, tells us technology such as Artificial Intelligence can advance the science of threat detection.

Today’s organisations are facing an increasingly different calibre of cyberthreat. Modern-day hackers are able to evade the preventative and detective measures of both new and old security infrastructures and are unfortunately a daily probability for security teams.

They are dealing with a class of threats that leverage zero-day exploits, develop targeted and stealthy malware, or operate from within the perimeter as a malicious insider or imposter.

The difficulty for organisations to detect this class of threat, is having to find the right balance between false negative risk and false positive frequency. However, technology such as Artificial Intelligence (AI) can advance the science of threat detection to accelerate the speed and accuracy, while reducing the bane of all security operations centres.

False negative vs. false positive

A false negative is a security incident that was not detected in a timely manner. For example, a phishing attack resulting in a compromised user account that goes unnoticed by the security team until more damage occurs. A false positive, on the other hand, is an alarm generated by security systems that indicates a security incident has likely occurred when, in fact, everything is normal.

Enterprises must find their own balance when it comes to false negative risk verses false positive frequency.  Realistically, organisations that want to reduce false negative risk will need to accept increased false positive frequency and staff their security operations centre appropriately.

Unfortunately, some vendors sell AI and Machine Learning (ML)-based behavioural anomaly detection as an easy button for advanced threat detection and false positive reduction. The silver bullet story is too good to be true and organisations that believe it’s easy are in for an unfortunate reality check – likely to be realised in the form of a high-impact and embarrassing data breach.

Next-generation SIEM

AI/ML-powered analytics is indeed revolutionising the science of advanced threat detection and will continue to do so throughout the next decade. AI’s greatest impact will be towards holistic threat analytics, which is the ability to detect and qualify threats with accuracy wherever they might originate and with whatever they might intersect – endpoint, server, application, device or user.

Next-generation SIEM platforms should ultimately enable an organisation to have visibility into both known and unknown cyberthreats across the holistic attack surface. This pervasive centralised visibility serves as the foundation for holistic threat detection, creating an incredible analytics opportunity for AI-powered technologies.

Pervasive visibility enables sophisticated scenario analytics to continuously model data – recognising the occurrence of complex scenarios that exhibit the tactics, techniques and procedures (TTPs) of known threats.

The same visibility also empowers deep behaviour analytics, modelling a diverse cross-section of behaviours across the IT infrastructure and the users operating within, allowing detection of subtle behavioural shifts that might indicate a potential or present threat.

NextGen SIEM should allow organisations to optimise organisational false negative risk verses false positive load.

The security industry’s journey with AI-powered analytics is still relatively nascent. It is up to security vendors to be at the forefront of this journey, delivering customers advanced and pragmatic approaches that will best protect them from ever-evolving threats.

And there is no silver bullet; organisations should view NextGen SIEM as a platform and select a NextGen SIEM vendor that can pragmatically realise full NextGen SIEM capabilities across time, against their practical resource constraints.

How has SIEM evolved over the last decade, and where do the likes of SOAR and SOAPA fit into the security picture?

Just like the threats it was designed to protect us from, SIEM is continuously evolving. Cybersecurity technology that is developed to solve a specific issue at a given time and doesn’t change or evolve, will soon become legacy as threats and tactics grow in sophistication.

As such, if SIEM had stayed as its initial incarnation it would be extinct, but it has evolved with the times and ‘NextGen SIEM’ now exists.

NextGen SIEM has evolved to have Big Data storage architecture at its foundation. This enables it to cope with the increasing influx of security information by facilitating a far greater repository where data is analysed with advanced capabilities – including complex scenario detection and behavioural modelling – which allows it to identify and prioritise known and unknown threats.

Furthermore, advanced incident response automates threat mitigation and investigation with previously unparalleled speed and accuracy.

SOAPA and SOAR technologies are still in their infancy with the industry not yet fully decided on how to truly define the terms. Yet, what can be said is that both can encompass SIEM. For instance, traditional SIEM solutions typically focus on a few data points, but SOAPA enables users to unify SIEM alongside other vendors’ APIs into a single platform.

This means other data from other tools, such as network security analytics, incident response platforms, endpoint detection and anti-malware etc, are knitted together to ensure a more comprehensive picture which provides security teams with greater oversight.

SOAR is a term created by Gartner and refers to a more efficient and effective response to threats, often through the use of automation. With the amount of inflowing cybersecurity data ever-increasing, manually responding to alerts is a tedious process and likely to result in missed red flags.

When automation is incorporated into a firm’s SIEM setup and overall cybersecurity posture, they are in a much better position to respond sufficiently to potential threats.

How is AI (or ML) changing the SIEM model currently and will it transform it completely in the next couple of years?

Security teams are often restricted by limited time, money and people-power, so businesses simply cannot expect their digital estates to be truly secure if responsibilities are carried out manually in this day and age. The time and effort it can take to investigate the sheer quantity of alerts, identify new attack trends, test networks to uncover vulnerabilities, as well as manage a growing number of cybersecurity tools means that security teams are under increasing pressure as their resources are spread thinly.

This only makes it more likely that anomalous activity could go unnoticed and cause real damage in the form of a material breach.

The addition of ML to SIEM promises to reduce the human effort needed to secure networks. Expanding datasets can be analysed quickly with red flags waved so that security teams know where they should focus.

Moreover, such technologies can move beyond the typical rules-based approach so that threats that are following new patterns are highlighted and then learned. As tactics evolve, so does NextGen SIEM.

That being said, organisations that view ML as a silver bullet to their challenges will soon come crashing back to reality. While ML can analyse data quickly, it’s only as good as the data it’s reviewing making inaccurate or insufficient data sources a cause of concern.

There may also be a lack of consistency in how each ML solution reports its findings. Furthermore, the business will need to calculate a comfortable balance between false positives and false negatives, with an increase in the former affecting the latter in the same way.

This means that each alert will still need to be checked, even if just to confirm that everything is OK rather than to deeply investigate and analyse every threat.