Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
If your team is suffering from security alert fatigue, too many false positives, and an overall reactive posture, you’re not alone. Organizations are continuing to invest in a growing suite of cyber security tools, complicating security operations, overwhelming teams, and negatively impacting threat detection. According to a 451 Research Report, 43% of enterprises are unable to act on at least 25% of the alerts generated by their security products. This can leave organizations unsure of the state of their security posture, or even with a false sense of confidence.
To understand how to resolve these security operations challenges, it’s important to first understand what common threat detection problems are the culprit:
It’s quite common for companies to run with the default rule sets that come pre-packaged with a tool such as a SIEM or EDR. And why not? The rules are already prebuilt, they are designed to be plug and play so a security operations team just has to update some definitions and within a few minutes the rule starts firing.
Perfect! Or is it?
For a vendor to build a rule that is generic enough to plug and play into any environment, with just a few tweaks, comes with some trade-offs. Because the rule is so broadly built, it often leads to a higher volume of fires, a high number of false positives, lower fidelity, and sometimes unexpected fail to fires due to coverage gaps or edge cases where a particular log got categorized in an unusual way that fell outside the scope of the rule logic.
Of course, the intention behind these out-of-box rules is that the security operations team will work on tuning any excess noise, and then after some time of hammering it out they are able to get the rule to a place where its working reasonably well. And sometimes companies will have great success stories with this approach. It’s not necessarily a bad way to do it… it’s just not the most efficient or effective method, particularly when teams are already overwhelmed with responding to alerts and managing tools
Instead of slowly trying to tune out excess noise over time, security teams will see better luck by first assessing their unique environment and customizing the rule to fit.
Let’s take a look at how to develop one of the most common rules across the board: the humble port scan rule.
To demonstrate the process, we’ll walk through the base logic we use at ReliaQuest:
ReliaQuest Common Ports List: 1-1024,1433,1434,3306,3389,4567,5900,31337
ReliaQuest Common Port Whitelist List: 53,88,123,389,464,137,161,80,443
What does the infrastructure landscape look like ?In order to build a custom rule similar to the above, you must first determine how the rule will fit into your environment and what log sources are needed. To do so, start by asking yourself and your team questions like:
Once you’ve identified the log source types where a detection could be expected to take place, you’ll need to determine any gaps in log source coverage. This is perhaps the most significant issue that can affect your security alerting. To determine whether you may have coverage gaps that could affect your rule, ask these questions:
Keep in mind that regardless of how well-built or tuned the detection rule is, you will never detect the attack if it occurs in a logging blind spot.
By asking these questions, it often becomes apparent that environments have East-West blind spots. Following the example above, it’s important to keep in mind that regardless of how well built or tuned the rule is, you will never detect a port scan if it happens in a logging coverage gap.
Without an understanding of visibility and logging gaps within their environment, companies can develop a false sense of security that only gets realized after a pen test (or worse, an actual breach!) takes place and the rule failed to fire.
That’s why for every rule built, it’s important to know your logging gaps ahead of time so you can answer:
If you know there is a specific situation where the rule wont fire due to a visibility gap, then you must consider the impact of the gap, whether or not the risk is acceptable, and if you need to take any steps to mitigate the gap.
Do you know where your visibility gaps are? Learn how to measure and track your visibility gaps with the Guide to Metrics that Matter.
Once you understand where your gaps are, determine what gaps you need to mitigate based on risk levels and impact to the business. For example, if you know that Host A could run a port scan against Host B and you don’t have the means to detect that, what does this mean for your organization? If Host B is a mission critical host, perhaps there is a need to move it to another network location with better visibility. If Host B is not mission critical and there is already existing visibility on that host through Anti-virus or EDR (endpoint detection and response), perhaps missing a port scan is an acceptable risk.
You may also need to consider solutions to increase your visibility, such as an Open XDR solution that integrates your existing investments for unified visibility.
ReliaQuest GreyMatter reduces security complexity and force multiplies stretched security teams, helping leaders to realize exponential gains in efficacy, efficiency, resiliency, and confidence, enabling them to proactively advise and manage risk for the business.
On top of this platform add diverse, use case-based detection content that works across technologies, for high fidelity, unified alerting, delivering an investigation package from which analysts can make fast, informed decisions, automate response across technologies, or dive deeper, pulling additional insights without needing to know specific syntax or pivoting into other tools.
For more information on reducing false positives and improving your detection capabilities, get The Comprehensive Guide to Optimizing Your Security Operations.