It’s time for a change, if security alert noise makes you want to “see, hear and speak no evil.” Instead, what if you could take in large amounts of data, get only important alerts, and had the full data capture for hunting when needed?
Recently I overheard a discussion, I’ve heard many times before, where an analyst at a large organization was griping about how there was no way to makes sense of all the alerts they were receiving. The premise was the tools they were using provided a large amount of often conflicting or duplicate data that simply overloaded their teams. Throughout the discussion the customer came to the conclusion they should reduce their monitoring to a few key areas, therefore reducing the number of alerts and notifications to a perceived, manageable level.
We can all relate to this scenario, and I think we all agree that simply closing our eyes doesn't make the evil go away. Like the Japanese proverb about the three wise monkeys who “hear no evil”, “see no evil” and “speak no evil” this customer was reverting to the same approach and hoping that by simply ignoring the threat it will go away. We know this isn't true, but because we too often think we lack the capacity to tackle the problem we choose not to deal with it head on. Make no mistake dealing with the reality of how many threats we see in our networks today is no easy task, but it is not impossible and in-fact is well within the grasp of most organizations.
The term false-positive (where an alert is falsely generated for legitimate traffic) has become worse than the actual threat itself. So much so that we have moved into a world where false negatives aren't even tracked or evaluated. A false-negative is when an alert isn't generated for a true threat because the system is so tightly tuned to avoid a false reading that it fails to detect actual threats. How can we battle too many alerts while still missing alerts to actual threats?
What if we had a way to take in large amounts of data at machine speeds, only alert on the highest threats, and still provided the full data capture for hunting when needed? The solution would need to address the entire network, both endpoint and network elements, and provide a unified view across the enterprise. This is exactly what Corvil and Carbon Black have done!
Corvil with Cb Response correlate malicious traffic with cross-device user activity and originating processes both in real-time and retrospectively. This allows for rapid prioritization of alerts and, more importantly, brings the attackers methods front and center allowing security teams to rapidly identify and investigate the most urgent threats. Corvil's incredible ingest rate provides a high fidelity source of information through Corvil’s full-fidelity, retrospective packet capture and Cb Response’s full visibility of the process responsible for the packet’s creation.
It's pretty simple with the right solution. Security companies partnering to bring the best of multiple areas of expertise provide that right solution. Corvil and Carbon Black just released the right solution. Are you taking notice? Or are you closing your eyes hoping the threats will go away? I think we will all be far better off if rather than shutting our eyes to the world, we pushed ourselves to open our eyes to the world we live in and accept the challenge ahead. It’s only bytruly recognizing the problem that we will ever be in a position to fix it.