Are analysts monitoring security alerts in my environment classifying adversary activity as false positives?
SOC Analysts classify malicious alerts as false positives
"In a statement today, (a) Target Spokeswoman admitted that Target 'learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and (.) based on their interpretation (.) of that activity, the Team determined that it did not warrant immediate follow up"
Target Corporation identifies Human Error as the one of the key factors of their 2013 Data Breach
SOC Analysts still classify malicious alerts as false positives
35%
of respondents ignore alerts when their queue gets too full.
IDC, Infobrief (Jan 2021)
~80%
of APT cases showed evidence of password dumps, web shells, malware and malicious scripts in Antivirus Logs.
Florian Roth, @Cyb3rops via Twitter
3 in 4
analysts are worried about missing incidents.
IDC, Infobrief (Jan 2021)
What is your real Adversary Dwell TimeTM?
DAYS
Level 1 SOC Analysts typically have no experience successfully classifying and escalating advanced threat alerts as malicious.
The following two events occur on a real system monitored by on-premise analysts and a 24/7/365 SOC. One of the events was a scheduled task launching Cobalt Strike. Neither of the events were classified as malicious or escalated
How do you currently verify that your team would have successfully investigated and escalated the malicious scheduled task event?
It’s more prevalent than you think.
What if you could Verify the team tasked with identifying threats routinely, reliably and covertly? Constantly calibrating your Human Sensors™?
What if you could validate your MSP/MDR’s ability to properly analyze alerts?
What if you could validate that they quickly escalate incidents?
What if you could validate that they properly detect lateral movement?
What is your new Adversary Dwell TimeTM?
I want to Verify with nVizable™
Real attack testing in your analysts Real environment using their Real tools.
Randomized schedules, devices, accounts and attack techniques.
Accurately measure your Human SensorTM Analysis and Response Skills.
Discover and Improve the Attacker Dwell Time right in your own environment.
nVizableTM lets you detect and correct Human Analysis issues; keeping your team battle ready long before a breach occurs.
Gain early access to our platform and experience what the future looks like for yourself.
