On a daily basis, almost half of all security operations managers receive 5,000 alerts per day and, of these, 44% are never investigated.
Possibly the toughest challenge for an IT security team is managing this deluge of security alerts. Considerable time is spent on false positives when the stakes are high – failing to detect an active infection can have serious consequences.
Alerts and alarms are designed to draw attention, but when the barrage is constant, it’s easy to become desensitized. It’s of no surprise that IT and security teams are facing ‘alarm fatigue’ where they are overwhelmed by constant notifications and information. As a result, the real threats are buried amongst the noise, and often missed or unintentionally ignored.
With cybercrime expected to cost the global economy $3 trillion by 2020, it’s more important than ever for organizations to cut through the bombardment of alerts and have confidence in the accuracy and effectiveness of solutions to detect even the most sophisticated threats.
Information overload
Anti-virus software is failing to detect the latest malware and malicious threats, and no computer is safe from attackers. The result of this is an industry explosion of alerting technologies ranging from intrusion detection and network black boxes, to sandboxes and threat intelligence solutions to highlight Indicators of Compromise (IoCs).
This never-ending deluge has subsequently given rise to another industry of alert consolidation, correlation tools, coalescence technology, big data analytics, attribution biased triage…the list continues. However, with only limited time and resources to manage these threats, it’s inevitable that this information overload will place additional burdens on teams.
Sadly, many IT and security teams feel they have no choice but to invest in a mix of technologies in the hope that one will trigger alerts accurate enough to prevent a malicious attack. This is often under the guise of ‘best practice’ and is a common reality in IoC-led alert systems.
The risk equation
There is no risk-free answer. Too many alerts mean a team cannot investigate them all, but herein lies the risk – the alerts that are ignored or at least delayed. There is risk in the time it takes to diagnose whether an alert is real and, if it is, whether it was successful or blocked by another security function.
Ultimately, IoC alerts are just indicators, and the more indicator sources there are, the greater the likelihood of alert fatigue. It’s what we are alerted about that needs to change. Indicator-based alerts are often responsible for lost time, both in security escalations and false alarms. In fact, attackers are aware of the potential for this and may instigate side attacks to generate more alarm noise. Instead, we should base these alerts on what is actually happening within the network environment.
The ideal place to track these activities is the target of the attack itself – the endpoint. A real alternative to the existing IoC alerts and ineffective antivirus solutions, the dynamic behavior of the endpoint is what should form the basis of the alert. This solves the problem of prevention bias, which is the fundamental flaw in security controls by which attackers are able to infiltrate our environments.
Reducing alert fatigue is a work-in-progress, but as organizations move away from indicative alerts and start making their technology work smarter rather than harder, the problems associated with inaccuracy, volume and cost will decrease.
It is vital that we move to a model where alerts are valuable and directly actionable. Eventually, there will be no more of ‘the boy who cried wolf’ and the security process will be based on something which is happening, not something which only might be happening.