According to Wikipedia, Fear of Missing Out (FOMO) is the “feeling of apprehension that one is either not in the know or missing out on information, events, experiences, or life decisions that could make one’s life better.”
First identified in 1996 by marketing strategist Dr. Dan Herman, FOMO is a phenomenon that refers to a negative emotional impulse – usually overreactive – that disrupts one’s sense of judgment in dealing with different situations.
In the field of security information, FOMO applies to a commonly felt fear of missing a threat – and failing to protect the organization. In the sensitive area of work of security analysts, where Security Operations Centers are an enterprise’s first line of defense, it’s easy to fall into this emotional trap.
SOC Teams want to try to catch every possible piece of information, to confirm and validate each step. This can lead analysts to shy away from noise reduction and avoid tuning detection rules.
SOC Teams want to try to catch every possible piece of information, to confirm and validate each step. This can lead analysts to shy away from noise reduction and avoid tuning detection rules.
The phenomenon of FOMO tends to overload SOC teams, which generally suffer from a shortage of both human resources and technical resources. FOMO can lead to an inability to prioritize – i.e., to stop checking information that’s of low importance – which can have an impact on SOC efficiency to the point where the team misses the real threats. Let’s have a closer look at what this means.
Over-Monitoring – A Dangerous Behavior in the SOC
One of the direct results of the FOMO impulse is a problematic tendency to over-monitor, which can be expressed in several ways:
- Methodological Over-Monitoring – The SOC team hunts for indicators instead of Tactics, Techniques & Procedures (TTPs). Rather than investing their efforts in building wider controls based on an ordered and planned threat coverage model, the SOC analysts put effort into covering specific vulnerabilities or indicators using dedicated detections and hunting queries, that are driven by the latest threat indicator or vulnerability report.
- Operational Over-Monitoring – The SOC team reviews each incident several times for validation – regardless of its severity level, complexity, or major impact indicator. This is just one example of operational over-monitoring, and it is the equivalent of reviewing every, single log to ensure you haven’t missed anything important. Instead, a more effective approach involves due diligence, ensuring that the effort invested in a particular task reflects the criticality of the related incident. Alternatively, one can conduct a statistically based review – i.e., checking sample incidents to ensure they were handled correctly.
- Logical Over-Monitoring – The SOC team has a fear of over-tuning leads, and instead maintains untuned, noisy detection rules. I’ve been asked many times, “If we tune that endpoint and it will be compromised, how will we know?” Exclusions should be considered carefully – and should be as accurate as possible to match the specific use case. But, at the end of the day, it is a cost-benefit decision. How probable is the risk of compromise happening at that endpoint? How much effort is needed to ensure detection of all possible compromises?
In assessing what needs to be monitored, consider the concept of “defense in depth.” This phrase means that even if there is risk of missing cases at the “edge” in one layer of defense, the organization is protected because there are additional layers; the enterprise does not rely on just a single layer of protection.
Improve Your SOC’s Efficiency to Detect Real Threats to the Enterprise
FOMO hurts effective security monitoring processes by overwhelming the SOC team with processes and tasks that are low priority, so that they can’t focus on what’s truly essential to protecting the enterprise. In an effective security monitoring program:
- There’s a systematic approach to threat coverage – Threat coverage is addressed systematically, using a threat model such as the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to correlate all organizational controls and information assets and plan a roadmap.
- The SOC is not focused on vulnerability exploitation coverage per se – Vulnerabilities are assessed and prioritized in a separate process. They are used in investigations as a source of enrichment for the assets involved. Only in very specific exploitation cases are vulnerabilities the focus of a dedicated detection process.
- Due diligence is applied to quality assurance. The more severe incidents are prioritized, and the team uses statistical analysis – reviewing sample incidents instead of reviewing them one by one.
- Indicators of Compromise (IOCs) are handled without an ongoing investment of human resources – IOCs are fed into the data lake for monitoring. IOCs do not require an active, ongoing response, as such a response has many downsides: It is resource consuming. It’s ineffective in preventing threats, which are dynamically assigned to new IPs in each campaign. And, like all manual processes, it carries the risk of impacting the business through human error.
FOMO hurts effective security monitoring processes by overwhelming the SOC team with processes and tasks that are low priority, so that they can’t focus on what’s truly essential to protecting the enterprise.
To gain further insight into adopting a more strategic approach to threat detection and response, read more or contact us.