Pratum Blog

Fog of War - soldiers in battle in fog with computer network overlay

Network visibility is critical to cybersecurity, but how do you control costs, improve visibility and avoid costly distractions like false positives?

W

arfare is the way of deception.

Therefore, if able, appear unable; if active, appear inactive; if near, appear far; if far, appear near.

If your enemies have advantage, bait them; if they are confused, capture them; if they are numerous, prepare for them; if they are strong, avoid them; if they are angry, disturb them; if they are humble, make them haughty; if they are relaxed, toil them; if they are united, separate them.

Attack where your enemies are not prepared; go to where they do not expect.

This strategy leads to victory in warfare, so do not let the enemy see it. – Sun Tzu, 01.13-17, Sonshi translation

During World War II, the 23rd Headquarters Special Troops boasted of two divisions of nearly 30,000 soldiers. Their tanks, artillery, planes and large-scale maneuvers made instrumental contributions to the invasion of Normandy, the Battle of the Bulge, counter-positioning at the Maginot Line and the Rhine River crossing.

They drew and held the attention of the Axis forces in Europe from the middle of the war onward. Although the Axis likely could have destroyed the 23rd at many opportunities during the war, they dared not risk their resources on a direct attack.

The very existence of the organization remained classified for 50 years after the war and, once declassified, was considered worthy, as a unit, for the Congressional Gold Medal.

There was only one problem: the two divisions of the 23rd did not exist.

In fact, at its largest numbers, the 23rd – more famously known as the Ghost Army – included about 1000 soldiers total, most of them artists and sound engineers. Their guns were props. Their tanks were inflatable.

The true nature of the threat capabilities of the 23rd were all based on deceiving their target, distracting the target from legitimate threats, and paralyzing systems into inaction. The Ghost Army was a real world “false positive” that drew attention throughout the war, without ever once being detected as such.

The Axis could see into their network of threats…but they saw too much – more than was present – and it proved costly.

Improving Network Visibility – Omniscience Versus Calibration

Network visibility is critical to security, but there is a serious risk of seeing too much. Sometimes, you pay for the privilege of becoming distracted by false threats.

It is impossible to always have perfect vision in a secure environment. Attacks can come from anywhere, systems can become overtaxed, human monitoring can suffer a lapse.

Even if network omniscience were possible, your defenses would not be “perfectly” robust. There would be too much noise: too many distracting data points, far too many false positive events, and of course, to even attempt omniscience would be cost prohibitive.

So, how do you effectively calibrate your visibility into the network and manage the costs, all while avoiding time-consuming false positives? It starts with monitoring network health costs.

Counting the Costs

Your visibility solution(s) obviously comes with a price tag, so it is important to identify the return on investment up front.

Downtime (Technical/Productivity)

First, predict the amount of annual or quarterly downtime that could be prevented by seeing potential vulnerabilities in the network before they become liabilities. Catching system flaws and shoring them up is a key benefit to be had from a well-tuned visibility solution.

Most of the top causes of Network Downtime are faults, errors or discards in network devices, device configuration changes, user errors, failed upgrades and patches, and device mismanagement. All can be anticipated in a visible network.

Attacks

Of course, in addition to being a contributor to downtime, security attacks present their own added costs. There are known hard and soft costs and costs that can remain hidden in the aftermath for months.

Churn

For organizations whose customers are expected to touch the network in some way, customer churn can increase when there are visibility issues.

When your network isn’t visible, you may not even know what customers and revenue you are losing. When you waste time and resources on false positives, your costs go up, leaving you less able to attract and keep customers.

Use Case 1: Unseen Network Configuration Errors

A videoconference provisioning company has poor visibility into its own network. Trouble tickets and calls about interruptions in video calls are coming in, and users are being directed by the trouble-center to reboot and try the call in a new browser. This works for some users, but not for the majority. It turns out that the main culprit of the problem is the configuration of the network which is causing delays and glitches in the video calls.

Because the company “doesn’t know what it doesn’t know” it is putting a lot of its hosts and their clients in an infinite loop of reboots and failed calls. Hosts and end users leave the service in droves, all because the videoconferencing company couldn’t see its own network configuration problems.

When visibility is cloudy, any part of the network that touches or serves clients will become this category of “unknown unknown.” Whether or not the client interaction is functioning as expected or is going disastrously awry is simply not visible. Bad customer contacts will go unnoticed, good ones will not be capitalized upon.

If, on the other hand, you are distracted by resolving too many false positives, you may unintentionally punish good actors with unnecessary mitigation. Good customers don’t appreciate being mistaken for bad actors.

Both scenarios are components of customer churn that can be better addressed with well-tuned network visibility. When a false positive happens in the context of a transaction, a good customer pays the immediate price, but the network pays the heavier price in churn.

Reputation (Technical/Productivity)

A company that is relatively blind to its network risks developing a reputation for technical ignorance. They can be portrayed as bumbling or out of touch when suffering a publicly reported attack. Existing customers can be directly or indirectly harmed due to identity or financial loss. But too much network visibility (that is – too many false positives) can be just as damaging, leaving a company’s brand, customer churn and reputation at quieter -- but no less profound – risk.

False positives can be a high-risk symptom of "seeing more than what is there.” When an existing solution identifies a legitimate action or account as a fraudulent threat instead, there is a decent risk that a good customer will be harmed.

Use Case 2: Declined Transactions

In financial technology, for example, a false positive alert might decline a transaction of a good customer. At best, the financial company merely embarrasses the customer, and the customer gets over it with a dim personal view of the company’s reputation.

At worst, the company loses a justifiably angry customer (likely one with a social media presence!) and suffers reputational blowback. Negative word-of-mouth due to false positives could potentially be as damaging to a company’s reputation as a breach.

It isn’t just about customers, either. False positives that trigger reviews will raise operational costs, and many times, those costs directly or indirectly spill over onto a company’s vendors. Both under-tuned and over-tuned visibility can potentially inspire vendors to fire your company, or, at best, not enjoy working with your company going forward.

Cost Effective Visibility

Once you know how to improve network visibility, you can place the cost of visibility into perspective.

At Pratum, we have developed an approach to network visibility that also frees up your IT team to do what you have hired them for. We customize workbooks and other reporting to supply an effective overview of your network while also learning your network's unique tendencies for false positives. This means we can rapidly learn your network profile and vulnerabilities, providing good visibility that quickly becomes great.

The best way to increase efficiency of your view while reducing the cost is to aggregate your data ingestion through a managed solution. Our XDR solution is flexible and since we do not sell hardware or software, you will have more control over your visibility management while also being freer to focus on operations, and – at the same time -- won’t be stuck relying on software that a vendor forces you to work with. This will also aggregate and lower your subscription rates and fees. One thing that should not be cut is 24-hour, 365-day professional support. Visibility that is properly calibrated never sleeps.

Use Case 3: Ending False Positives via Customization

Out-of-the-box rules for finding threats are not always correct. A real-world example of this occurred when Pratum’s SOC team noticed that one stock rule was generating 50 tickets a day for every organization Pratum manages. Less than 5% of the alerts were legitimate threats. The rule, as written, triggered most of the time when normal software operations were underway.

To address this, Pratum’s analysts disabled the stock rule to stop the flood of unactionable data, then rewrote it with complex logic.

This cut the false positives to almost zero. Within 72 hours of enabling the new rule, the managed service spared a customer from an intrusion that the stock rule would have missed.

With good visibility, a managed service should be able to provide comprehensive yet easy-to-understand reporting for compliance, audit support, defense and post-event analysis.

Properly calibrated, visibility will better position your network to defend against threats, both real and imagined, with equal effectiveness.

Huynh, T. (Trans.). (n.d.). Sun Tzu's Art of War translation. Sonshi. Retrieved September 9, 2022, from https://www.sonshi.com/sun-tzu-art-of-war-translation-original.html


The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.