Analecta Cyber Company Blog: Why Have a Detection Platform if you Ignore it?

2018-06-05

Why Have a Detection Platform if you Ignore it?

Early Warning Device - Analecta LLC
Dave Hawkins is an information systems security engineer. He is the manager and cofounder of Analecta Cybera Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses.





By: Dave Hawkins, Analecta Cyber


I met a friend for lunch recently. He owns a financial services company operating in Baltimore, Maryland over the last several decades. The discussion turned to new cybersecurity regulatory requirements in one of his geographical markets. As we discussed the pros and cons of government legislation on business-based cybersecurity, I mentioned that many small and medium-sized businesses will take the time to purchase Network Intrusion Detection Systems (NIDS) or host-based Intrusion Protection Systems (IPS), but typically don’t do anything when an alert or warning is generated. He was shocked. “Why even have the system if you’re not going to use it to track things down?”

As state legislation drives the adoption of cybersecurity defenses, it is becoming a significant challenge for businesses who scramble to comply under the threat of losing licensure or being fined. There may be the appearance of a cybersecurity program but it’s missing the meat. The essence of a cybersecurity program is build on the pillars of governance, policy and practice:
  • Governance documents help build the skeleton of the program, the "Who" and "Why" the business needs to accomplish their goals and do their job function.
  • Policy often adds in the "What" and "Where."
  • Practice is the "How." It stems naturally from putting all the pieces together in a cohesive and effective cybersecurity program.

Unfortunately, there is quite often a gap between the governance and policy, and the daily practices. This is clearly illustrated by the confounding question: if someone invests in the hardware and software, as well as a rule-update subscription, why would they just let the system keep running without tracking down the alerts that are generated?

Herein lies the gap: Expertise. And we can facilitate in that area.

One of our nationally-based customers recently installed our EarlyWarning Network Intrusion Detection System. Once plugged into their online network, it began its 30-day training phase of learning traffic inherent to their system. In that time, it produced nearly 200,000 false-positive alerts and 24 true-positives. Our analysts were able to identify the sources of all the false-positives and refine rule-sets to ensure that the customer never has to deal with them again. That’s how to get over the initial deluge of false-positives – you work through them one at a time until you know authoritatively the source and cause, and refine the signatures to match “your” network not just “some” network.

Analecta’s EarlyWarning Network Intrusion Detection System

Symptoms of being stuck between policy and practice include:
  • Being unsure of information sources within your network that can provide information
  • Feeling ill-prepared to dive deep into an alert generated by your NIDS
  • Feeling like antivirus warnings of a threat being blocked are good to know, but require no additional investigative activity
The above are all clear symptoms of missing expertise. It takes a very special kind of driving obsession and years of experience to dig through 4,000+ false-positives per day to get things right!

Getting the expertise


There are only two ways to get expertise – build it or buy it. Each have their advantages and disadvantages. Purchased expertise gets the ball moving in the right direction today, but can create critical shortcomings if that expertise is lost, such as an end of a service contract.

Building internal expertise ensures you have long-term access to a valuable new resource, but it can take a long time to develop, especially if it requires evolving significant new technical skills. For example, programs used to teach military introductory-level system administration can take 480 classroom hours or more.

Best of both worlds


If you feel like you are missing that internal expertise and you need an effective security program – we’d love to talk with you. We can partner with you to round out your current IT security infrastructure  and to grow your understanding of security along the way. We win when our customers better understand their own security needs and are making internally-driven improvements to be more secure. With all of our services, we provide consultation and short-term expertise to eliminate risks in the present, as well as help build your knowledge and expertise for secure systems down the road.

Email us at info@analecta-llc.com or visit our Cyber Security website.

To learn more about Analecta’s EarlyWarning Alert System, visit The Importance of Understanding Your Company’s Network Traffic Flow.