How to sieve out noise from real events in the cyber-security arena

Controlling access to a system and managing privileged accounts are key to reducing the volume of noise to be monitored

As a cyber-security professional, you are incessantly bombarded by masses of data in many forms: data about newly discovered threats, reviews of existing and evolving threats, requests for new access and capabilities, alerts to review accesses granted, magazine articles and blog posts and advertising from IT security vendors offering the latest and greatest solutions to all your problems... And these are all before you finish your day's first cup of coffee or tea.

When struggling to keep your head above water, it is hard to not fall back to cautious behaviour.

You cannot investigate each and every suspicious event, so you start to look for assurance that it is malicious before responding.

Such a mindset could help explain the recent data breach at SingHealth, where database administrators and security managers were alerted to account breaches but failed to escalate the matter or respond quickly and proportionally.

A tendency to underplay security breaches as they happen is certainly not an isolated instance.

So what might be stopping security managers from responding more vigilantly to more of the discovered events?

The short answer is that there are simply too many false positives - that is, events that could be malicious but turn out to be legitimate activity.

So the question is: How can we reduce that noise in the system so security analysts can discern the real threats and respond accordingly?


But first, it is critical to understand how a system can end up with multiple weak points.

Many cyber-security professionals will know that one of the most annoying elements of cyber security is the provision of access to privileged accounts. Many people need such access: IT support staff, HR personnel, supervisors of staff and so on.

These accounts generate significant volume of monitoring data, designed to track usage and identify misuse of the privilege.

The more people are "required" to have such privileged access, the greater the risk to the overall system.

It is too easy for privileged access to creep beyond just system, application and database administrators - it may be provisioned willy-nilly for end users who need to install software, change configuration settings or run some badly written tool that requires administrative access.

It is here that we see the real culprit in most, if not all, the scenarios where privileged access is sought.


All mainstream operating systems tend to offer two statuses: standard user and administrator. In operating systems like Windows, there are controls such as Group Policy, which constrains what a user with administrator access can do, but it is a bit like trying to catch specific mosquitoes from a swarm; you often end up removing more than intended while also missing the critical one that is going to bite you.

Regardless of the operating system, cyber-security analysts tend to rely a lot on monitoring to ensure that granted access is not being misused by the user to whom it was granted, or by anyone else who gains access to the account.

Here is where the principle of least privilege comes in, or the idea that every program and every privileged user should operate using the least amount of privilege necessary to get a job done. Adhering to this strictly can eliminate use of unnecessary privileges, which immediately lowers the number of events that are generated.

Least-privilege management tools do exist for both servers and end points, for systems such as Windows, Linux, Unix, and Mac OS X. Removing privilege diminishes the ability of attackers and malware to land and expand control across a network, equating to vastly fewer events generated from privileged account use. With fewer events and less noise, it becomes much easier to spot abnormal activity. In simple terms, the signal is much clearer and easier to respond to.

Some examples of tools that are useful to restrict privilege are privileged password management (PPM) solutions. These solutions help enforce password security best practices across privileged credentials. Some of these practices include changing privileged credentials periodically or even after every use for the most sensitive credentials.

The very best PPM solutions also build in mechanics to authenticate access using appropriate credentials and recording the activity (keystrokes, mouse clicks, text and screen) during a session. They also allow for live monitoring of active sessions as well as a review of recorded sessions.

Controlling access to privileged accounts also matters. For example, you can require one or more people to approve such a request before access is granted. This ensures that any access to a privileged account seen by the monitoring systems that does not have a corresponding access granting from the PPM solution is immediately an event for investigation.

Each control for access put in place will result in a corresponding fall in security event monitoring noise. With less noise and better security controls in place, IT teams are better poised to respond quickly and precisely to a genuine threat.

That said, cyber security is not just a matter of technology; it involves process and people as well. We need all three aspects to be truly successful in better securing our environments.

• Brian Chappell is senior director of enterprise and solution architecture at BeyondTrust, an American company specialising in privileged-access management solutions for computer systems.

A version of this article appeared in the print edition of The Straits Times on October 11, 2018, with the headline 'How to sieve out noise from real events in the cyber-security arena'. Print Edition | Subscribe