How Superloop reduced false positives with behavioural threat detection

The security team at the Australian telco got its network detection response down from four hours down to one hour a day.

alert hacking threat detected
Thinkstock

Telecommunications provider Superloop has shifted its cybersecurity focus to behavioural-based attacks. “A lot of the things that we are seeing that make it through our layers are more behaviour-based. It is not necessarily malware; it’s almost social engineering to the next level, where something or someone is trying to find their way into our many layers of defence,” the former head of security and IT, Jason Veness, told CSO Australia.

And that has meant use of AI-powered tools. “There’s only so far you will get with known patterns in today’s world,” he said. “What we’re really looking to do was keep within the capabilities of AI-driven intrusion detection, but moreso reduce the complexity of our threat hunting and our security operations teams,” Veness said. The organisation wanted a product that anyone in the team, whether junior or senior, could use it easily.

After looking at several tools, Superloop’s chose Vectra AI’s Cognito, which has lowered the number of false positives. It lets the team look across many of its networks, as well as the software-as-a-service, platform-as-a-service, and infrastructure-as-a-service cloud software in use.

Veness recommended that cybersecurity professionals at the smaller, emerging providers as they are learning from the gaps of large vendors. He said that part of the cybersecurity skills gap is that “sometimes the tools we use are a little bit dated and require a very specific subset of skills to bring all that data into effectiveness.” Broadening the pool of vendors you consider can help address that, he said.

Once deployed, the use of Cognito reduced the amount of time “wasted chasing shadows and signatures”, including false behaviours, Veness said. As a result, security operations and network detection response went from four hours a day to one hour a day, which meant the team spends less time validating threats as the detections were more “on point”, he said.

Integration was simple, with the work taking roughly two weeks. Superloop’s IT team did the initial configuration of the hardware remotely.

Although the installation was easy, Superloop had to overcome issues with how Cognito interacted with some of its open source hypervisors and private clouds. As an example, Veness cited that Superloop could not get Cognito to work natively with the virtual sensors on that kernel-based virtual machine. To work around the issue, “it led us to find some more traditional spam-based solutions to put those in place,” he said. Still, Cognito “had a lot more support for some of those fringe hypervisors” than other tools did, and “Blue Chip, VMware, Zendesk, and Microsoft hypervisor all work just fine.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline