This blog post was inspired by and is dedicated to the memory of Ilan Rasooly.
When I first met Ilan, he was a 10 year old boy who was energetic, full of joy, and with a love for life. Over the next 11 years, our family became good friends with Ilan's family. During that time, I had the good fortune to watch Ilan grow into a responsible, helpful, kind, and yes, still energetic man. When I first met Ilan, I had no idea that his life would be cut tragically short 11 years later after a horrific accident.
As with everything in life, I try to learn from and seek meaning in all events, both good and bad. I have to be honest - I am struggling to learn from this one. It's a very difficult time, most of all for Ilan's family. Death is always painful, but the death of a young, energetic soul is exceptionally and incredibly painful.
Nonetheless, I do believe there is a security lesson that we can learn from this. That may sound crazy, but please allow me to explain.
If we look across recent breaches that have made headlines, we see that in some cases, the initial or subsequent intrusions did result in an alert firing. If that happened, why did so many of these breaches persist for long periods of time and result in the loss of millions of records (whether they were customer information, payment cards, or otherwise)? Unfortunately, in may of these cases, although alerts indicating intrusion may have fired (the signal), they were lost amidst an incredible volume of false-positives (the noise). Unfortunately, this is a daily occurrence inside most organizations. The signal-to-noise ratio is often too low to allow the organization to understand that they have been breached and respond accordingly before any grave damage has been done.
I've discussed this concept in additional depth previously on my blog in a post entitled "Signal-to-Noise Ratio": http://ananalyticalapproach.blogspot.com/2014/03/signal-to-noise-ratio.html.
In this particular post, I'd like to stress the importance of reviewing each and every alert that was mentioned in my previous post. If you have too many alerts to make that a reality, then you need fewer alerts. Plain and simple. Think that sounds crazy? Allow me to ask the following question. What is the point of an alert, if not to be reviewed and handled appropriately? Organizations that have more mature security operations and incident response functions have fewer alerts of higher quality and higher fidelity. Each and every alert gets reviewed. Will those organizations still miss things from time to time? Of course. I'm sure there are attacks that will always fly under the radar of any detection techniques. The difference is that mature organizations won't miss something they should have known about and, in fact, were alerted to. Organizations with a mature security function do a lot of things well, but one of them is getting the signal-to-noise ratio under control.
What does this have to do with Ilan you ask? We can think of each alert as an interaction. If we review each and every alert, we have a chance to turn that interaction into a positive one. In other words, even if we have been breached, we can learn of the breach in a timely manner and respond swiftly before any grave damage to the organization has occurred.
On the other hand, if we do not review each and every alert, we run the risk of each of those interactions turning into a negative one. In other words, how can I be sure that an alert that fires now is not the one that will cause me to appear in the press in six months? I can't be sure, unless I review each and every alert.
So too on the interpersonal front, every interaction matters. In the 11 years that I knew Ilan, we interacted many times. I hope that he felt that all of our interactions were positive ones. I will never know for sure. But, I do know that each and every one of us can strive for a positive outcome from each of our interpersonal interactions. I think that is an important point to remember, whether we are applying that way of thinking to information security or otherwise.