One of the most prominent challenges in cybersecurity today is the deluge of alerts. With finite human resources and seemingly infinite threats, security operations centers (SOCs) easily get overwhelmed.
“Not only must security pros contend with ever-increasing attacks to their networks, they also must finagle the tool sets guarding their systems,” according to Greg Masters, managing editor for SC Media, in a piece titled Crying Wolf: Combatting cybersecurity alert fatigue.
Current research shows this problem is growing. For example, a recent survey of 150 IT and security pros by the Enterprise Strategy Group found 54% said: “they are forced to ignore security alerts worthy of further investigation because they don’t have the staff and expertise to handle them.”
Another study of 400 cybersecurity professionals produced even more unsettling results: larger enterprises struggle to manage “1.3 million vulnerabilities every 30 days” and “64% of threat alerts are not addressed each day” according to the study, which was conducted by Enterprise Management Associates.
Technically True, but Largely Irrelevant
In the aforementioned article, which examines this issue in depth, Mr. Masters interviewed our own Druce MacFarlane, among other industry voices. Mr. MacFarlane points out that much of the deluge is caused by security alerts that are little more than a distraction:
“While most shops have tools to sense threats and alert security professionals – these alerts typically lack meaningful context to understand the impact or potential impact, says Druce MacFarlane, vice president of products and marketing for Bricata. In other words, he says, security is deluged by alerts that are often technically true, but largely irrelevant.
‘This requires IT security to investigate such alerts, but the volume and vectors have grown beyond the finite resource of most organizations. Consequently, some alerts start to slip and go uninvestigated.
‘The Sony breach of 2015 demonstrated this challenge, MacFarlane points out. ‘While the tools were able to identify the malicious activity, those alerts were lost in a sea of 40,000 other alerts that same month. With a limited security staff, some malicious activity went uninvestigated until the inevitable happened.’”
Analyzing Threats from Multiple Perspectives for Context
Some point to security analytics as the answer, but the challenge remains nested in the source data being fed into the analytics tool. As the saying goes, garbage in equals garbage out.
What security analysts need is context around the alerts. Context can provide two important aspects when trying to identify which events require the greatest degree of attention.
First, additional context can help prioritize – differentiate the “technically true but largely irrelevant” events from the critical events. For example, if you identify a malicious Windows executable downloaded to a Linux or OSX PC, it will probably be a lower priority as it has decreased chances of compromising the threat target.
Second, additional context also helps provide valuable information needed to correlate alerts from your complete ecosystem of security solutions. For example, imagine an analytics tool that could identify cancer, but the only attribute data being fed is biological gender. The tool might conclude men are more likely to get cancer than women. However, if you start feeding the tool additional attributes – diet, exercise, tobacco use, and family history – the analysis gets a whole lot more accurate.
This is what IT needs in cybersecurity – a way to look at the same threat from different perspectives in order to understand context. The more data you have about each alert, the more information you have to correlate and paint a larger picture of the problem.
When equipped with these different perspectives, security alerts are enriched with the most contextually relevant information around assets, attacks, attackers, attack campaigns, targets, exploits, and other attributes that analytics tools can slice and dice to separate important alerts from the noise.
This is what the latest version of our solution, which was announced recently, does for the security analyst. It looks at threat data from several perspectives – and uses those different vantage points to enrich the metadata around alerts. This delivers important context that enables analysts to distinguish real threats from the noise.
Context is the antidote for the security alert deluge.
[vc_separator type=’small’ position=’left’ color=’#689fb3′ thickness=’2′ up=’5′ down=’5′]
Druce MacFarlane will present a related session at the upcoming CyberMaryland Conference at the Baltimore Convention Center. His session – False-Positives: The Imperative of Improving Data Quality in Security Analytics – will be held on October 11, 2017, from 1:45 PM until 2:30 PM.
If you enjoy this post, you might also like:
Unleash the Kraken! 6 Things Your CISO is Thinking but Can’t Say Aloud
Photo: Pixabay (CC0 1.0)