Pratum Blog

Image of computer alerts over dark background

Here’s the hard truth about monitoring solutions: Most companies haven’t properly configured their SIEM/XDR system. Logging millions of events per day may seem productive. But what good does it do if an IT team is overwhelmed with alert fatigue and learns to ignore most of notifications they get?

“The basic rules in your SIEM may be functioning, but they often aren’t functioning well,” says Pratum Chief Technology Officer Steve Healey. Read on to learn how trained SOC analysts leverage SIEM tuning to turn out-of-the-box rules into meaningful tools for reducing noise and alert fatigue while stopping attacks before they gain a foothold.

The Problem with Out-of-the-Box SIEM Rules

All SIEM solutions come pre-loaded with a large number of rules. Alert fatigue happens because standard rules can’t possibly work equally well in every environment. “The idea behind those rules is solid, but they’re generic,” Steve says. “The execution will lead to an enormous number of false positives and alert fatigue. You’ll have to tune the rules with additional logic specific to your business to create exceptions without impeding the rule’s original intent.”

Beyond SIEM vendors, many other tech vendors regularly issue new detection rules to close gaps discovered in their own products. Many of those rules also generate a flood of false positives. Pratum’s SOC analysts (who have managed multi-tenant SIEM/XDR solutions for more than a decade) review each new rule’s goal and customize it for every customer’s environment. “We don’t just disable ineffective rules,” Steve says. “We take the core intent of the rule and build it out to get high-fidelity results.” With this kind of tuning, Pratum recently turned 266 million monthly security events in one client’s environment into just 41 alerts sent to the client’s IT team.

Reducing Alert Fatigue

The real art of creating SIEM/XDR rules lies in finding the sweet spot of writing rules sensitive enough to detect real threats but not so sensitive that they cause constant false positives. Nobody wants to get an alert every time someone logs in from a coffee shop using a different IP address. But if a legitimate user who normally uses an iPhone suddenly logs in through an Android device in a new geographic location, that’s worth an alert.

The solution is a team of SOC analysts trained to create models of normal activity. By identifying patterns of typical activity, analysts help the system recognize a scenario that checks all the boxes to be suspicious—but actually isn’t. “We can create threat models based on baseline behavior so we know what’s normal and only send an alert when the pattern changes,” Steve says. “Machine learning can figure that out over time.”

(This blog provides a summary of the logic used to eliminate false positives.)

The following real-world scenarios illustrate how SIEM tuning modified standard rules into more accurate reporting tools that stop the alert fatigue.

Use Case #1:

Fighting Business Email Compromise

Pratum recently revised one rule intended to deal with the growing threat of business email compromise (BEC) attacks. In these situations, hackers take over a legitimate user account. Then they often create email forwarding rules that let them intercept a user’s messages and conceal the fact that the account has been compromised. Many SIEM solutions now include a stock alert designed to watch for the creation of suspicious forwarding rules. But Pratum’s analysts recognized that the stock rule wasn’t catching the forwarding rule hackers are using most right now. So Pratum’s SOC team wrote a new rule, had the Pratum penetration testing team attempt an exploit to validate the rule, then rolled the rule out to Pratum’s entire client base. The new rule not only identifies the activity, but can also automatically orchestrate a response to contain the threat.

Use Case #2:

Eliminating False Positives

“The intent of most rules is terrific. A lot of rules would be amazing if they were accurate 100% of the time. But they aren’t,” Steve says. Pratum’s SOC team noticed that one stock rule started generating 50 tickets a day for every organization Pratum manages. Less than 5% of the alerts were legitimate threats because the rule kept triggering when normal software operations took place.

The analysts disabled the rule to stop the flood of unactionable data, then rewrote it with complex logic that cut the false positives to almost zero. “Within 72 hours of enabling the new rule, it saved one of our customers from an intrusion that the stock rule missed,” Steve says.

Use Case #3:

Tailoring Rules for SMBs

SIEM developers rightfully talk a lot about their solutions’ machine learning capabilities. But the developers tend to focus their machine learning work on big customers, which means some of the tools don’t do much for small organizations generating a limited amount of monthly data. So Pratum’s analysts devote a lot of attention to modifying rule logic so that companies with, say, 30 employees benefit from the next-gen tools as much as companies with 1,000 employees.

For more information on how Pratum’s custom SIEM/XDR rules could make your organization more secure and efficient, contact us today.

Multiple padlocks overlaid on blue background

Ransomware is rapidly becoming everyone’s problem. If all the recent headlines have provided the wake-up call you need, we have the tips to help you fight ransomware—but first you must decide you’re ready to take action. Here are the prevention steps you can begin taking today:

1. Patch Your Systems

A lot of IT leaders focus their angst on stopping zero-day threats. But digest this fact: One recent analysis showed that almost two-thirds of system vulnerabilities involve bugs that were identified two years ago. That literally means that the majority of your vulnerabilities are already solved if you just make the effort to use available patches. Hackers love to grab low-hanging fruit. Don’t let them find it on your system. Get a vulnerability scan and then address the gaps.

2. Use Proper Port Settings

Leaving certain port settings open unnecessarily gives hackers an easy gate into your system. CIS Controls 9 and 12 offer information on some common settings to check.

3. Actively Monitor Your Systems

If a bad actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.

4. Segment your systems

By effectively isolating/air-gapping various parts of your system, you limit how far hackers can get if they penetrate one part of the network.

5. Limit Each User’s Access

Similar to the previous point, implementing a policy of least-privileged access and Identity and Access Management means you keep hackers from getting into your entire system if they compromise one user’s credentials.

6. Have a Robust Backup Strategy

Even if ransomware locks up your data, an effective backup of your data lets you quickly restore operations. Test the backup often to ensure it’s doing its job.

7. Plan Ahead

A detailed incident response plan helps everyone know what to do to limit the damage when you come under attack. Breach costs are 38% lower for companies that have an IR plan in place before the breach.

8. Train Your Team—And Keep Training Them

Malware frequently gets onto a system when a user clicks a bogus e-mail link or falls for social engineering via text messages. Engaging every member of your team in cybersecurity of how it keeps the business running—will provide one of the best defenses. Provide regular training on the latest tricks in phishing and other social engineering tactics.

9. Get an outside opinion

An IT risk assessment, vulnerability scan and penetration testing all provide essential checks on your current cybersecurity posture and point to critical remediations you need to make.

Along with making your system more secure, these steps will almost certainly help you get a lower cyber insurance premium at a time when rates are rapidly increasing.

The Government's Response to Ransomware

The U.S. government is also stepping up its response. President Biden issued an executive order in May aimed at, among other actions, strengthening software security in federal agencies and creating a federal board to investigate major breaches. The administration says it intends to shift the focus from incident response to incident prevention.

Dozens of states are working on new regulations to step up cybersecurity across several industries. 

America continues to pressure Russia about its hacker-friendly climate since major attacks such as the JBS breach, the Colonial Pipeline attack and multiple others were almost immediately attributed to criminal organizations in Russia. But if you’re pinning your organization’s safety on the hope that Russia will crack down on hackers, you may also have a tendency to think vampires make excellent stewards of blood banks.

The fact is that the government can’t keep up. Hacking operations are well-run businesses employing some of the world’s best coders. They shift tactics constantly and engage in flexes like quoting your own cybersecurity policy back to you if you claim that you can’t afford the ransom they demand.

Contact Pratum to find out how we can help get your ready to stop ransomware attacks before they strike.

Image of code and locks over money

If your cyber insurance premium blew up this year, you’re not alone. Pratum’s clients have faced insurance cost increases of anywhere from 25% to 10x in the last six months. And to make the situation even more frustrating, the application process has become extremely complex as insurance companies ask hundreds of questions at renewal time.

In this post, we’ll describe the key ways you can get lower cyber insurance premiums and survive endless underwriting questionnaires while still getting the coverage essential to your business.

How to Reduce Your Cyber Insurance Premiums

The following policies and tools have the dual benefit of making you more secure and convincing underwriters that you’re a lower risk. Ross Ingersoll, an executive risk & cyber account executive at one of Pratum’s insurance-industry partners, Holmes Murphy, in Des Moines, Iowa points to three security policies/tools every insurance carrier wants to see.

Multifactor Authentication

“MFA is, by far, the leading indicator to prevent ransomware losses, and it’s the number one thing carriers are looking for,” Ingersoll says. Without a sound MFA policy, you may be denied coverage. And a general answer of “yes, we have MFA” won’t satisfy most carriers. They want details on how your MFA policy protects admin level users, secures all remote access and secures corporate email on non-corporate devices and web apps.

Endpoint Detection-and-Response

Ransomware struggles to get past these systems that can catch threats early and shut them down. An IBM study found that organizations using security AI and automation spend 80% less handling a breach. A solution like Pratum’s Managed XDR can detect anomalous activity, correlate actions into a threat picture and proactively shut down attacks. And that often happens in milliseconds.

Solid Backup/Recovery Procedures

Ingersoll asks his clients: “Do you have an offline or segregated backup solution? Have you tested it frequently? Monthly? Quarterly? Is access to the backup restricted by MFA? Along with that, do you have an incident response plan to access the backup and have you tested the IR plan?”

Why Premiums Have Jumped

The last couple of years have rocked the cyber insurance landscape with three factors hitting almost simultaneously. Insurance companies had set rates artificially low because they lacked enough history to do accurate underwriting. Then the ransomware wave and remote workforces arrived simultaneously, sending claims skyrocketing.

Put all that together, and you get an industry trying to right-size its revenue in a hurry by jacking up rates. At the same time, cyber insurance companies have taken other steps to control their losses:

  • Stop offering coverage. Some companies have decided it’s not worth the risk. Reuters has reported that Lloyds of London, which owns 20% of the worldwide cyber insurance market, won’t be taking on cyber business in 2022. And with fewer companies offering coverage, rates go up.
  • Reduce limits. You may not be able to buy the same coverage this year at any price.
  • Make underwriting tougher. “Five years ago, if you had antivirus and a firewall, you qualified,” says Ingersoll at Holmes Murphy. Now, Pratum sees applications drilling down on clients’ cybersecurity positions with 250 or more detailed questions.
  • Deny coverage. Some clients simply get labeled too risky to cover. Or they can’t get coverage for specific high-ticket threats, such as ransomware attacks.

A Case Study In Lower Cyber Insurance Premiums

You probably can’t avoid a price hike. But your actions can lead directly to lower cyber insurance rates. Consider the following story from Ingersoll of Holmes Murphy:

Ingersoll recently met with a client six months before their cyber insurance policy was up for renewal. The client lacked several of the key security tools described below, but on Ingersoll’s advice, they quickly ramped up their security posture.

To measure the ROI, Ingersoll got insurance quotes before the improvements and after. With no security adjustments, the $3 million policy’s price would have jumped from $20,000/year to $80,000/year. And ransomware incidents would have been limited to $100,000 of coverage.

With the new security policies/tools in place, the client kept their original coverage amounts and saw the price rise to $35,000. That’s still a 75% increase—but it’s a lot better than paying 300% more for less coverage.

“The increase may be inevitable,” Ingersoll says. “But you can manage the increase while maintaining a robust policy. That’s the moral of that situation.”

How to Prepare for Tougher Underwriting

Along with focusing on the key areas mentioned, you should brace for a significant time investment at policy renewal time. For both new policies and renewals, expect a long list of questions probing deeply into your information security policies and tools. We recently helped a client respond to 275 individual questions from their cyber insurance carrier.

So start 5-6 months before the renewal is due and get help from third-party experts such as Pratum and an experienced insurance broker.

Expect questions like these:

  • What percentage of your IT budget is allocated to information security?
  • Do you have a Chief Information Security Officer or equivalent?
  • Which cybersecurity frameworks do you follow?
  • Do you engage a third party to provide an assessment of your cybersecurity program and controls?
  • How do you track your software inventory by operating system and application version?
  • Do you implement standard audit logging policies for hardware devices and software?
  • What are your password policies?
  • How do you encrypt data?

Pratum’s consultants help organizations create customized security plans that not only help with cyber insurance costs but secure the organization’s future. Contact us today for a conversation about how we can help boost your security posture.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.