"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR.
Of the pains that our customers shared with us up to that point, there was a very consistent challenge: monitoring products were too noisy. Whether they were talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into a simple category, these design partners told us that they were often relying on a "gut feel" to determine if the email alert on their phone warranted a deeper look. This meant that a vast majority of alerts were forever unread in a folder not named "Inbox". You very likely remember Aesop's Fable about "The Boy Who Cried Wolf", but it seemed that these existing security solutions were designed by the small population that forgets the lesson behind it.
That's the question in your head, right? Well, the "so what?" is that there are some very good reasons why most products don't follow this rule, but two stand out above the rest:
- There is a TON of data on your network, so just getting access to it can feel like a massive accomplishment sometimes. This is why "big data security analytics" is such a popular buzzphrase. To lean on a cliche from the sixteenth century, we are in the business of finding the "needle in the haystack". It can be discouraging for someone on the InsightIDR team to spend weeks researching and building a given indicator of compromise (IOC) only to see it get scrapped when it lights up the Rapid7 install of the product that serves as our laboratory. Then, when it passes the sanity test and goes to our customers, it is actually great if it only triggers once every couple of months at each customer.
- If you are looking to prove the value of your solution to interested parties, it always helps the POC to alert 200 times on the first day on IOCs missed by other solutions in the customer environment. It gives an obvious "shiny object" for easy budget justification. It is hard to foresee from this evidence that you cannot live without the solution that your team will probably stop listening.
Our resolve strengthened
The motto that we kept despite the option to take a clearly simpler path was here to stay once we read the quotes coming from the security teams in the most famous US retail breaches:
- Target - "Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team." This was not the clear case of incompetence that many people perceived.
- Neiman Marcus - “These 60,000 [alert] entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.” This says it all. Too noisy.
I am certainly not making claims that we have created a detection solution that will spot everything and never give you a false positive. Anyone that says that is a liar. What I am saying is that we have built noise reduction into InsightIDR. When we added IOCs such as one account authenticating to an administrator account (i.e. impersonation), we did not trust baselining alone to reduce the noise because account abuse/misuse could potentially get marked as normal in a baseline. We instead opted to have the solution learn from the user what is acceptable and manage any necessary whitelisting/blacklisting to automate the process. The goal here was to alert only when something concerning happens and, if that proves to be a false positive, never alert on it again.
Our approach was recently validated when we spoke with an InsightIDR customer and were told that in their organization of tens of thousands of employees, we alert "5-10 times per day". Every alert is considered valuable.
If you want to hear how well we have stuck to our motto, I suggest you start by watching our 20 minute demo.