A popular topic that we get asked about really frequently. So often in fact, that we written an eBook about it! Here’s what you can expect to learn about.
Turns out that the average US business deals with a tidal wave of 10,000 security alerts a day, according to Techworld Online. The Security Operations Center (SOC) team’s mission of analyzing attacks in order to differentiate between real threats and false positives is almost impossible to achieve. So it is not surprising that 40.4% of the respondent IT security professionals in a recent CSA Survey stated that the alerts they receive lack actionable intelligence to investigate, and another 31.9% admitted that they ignore alerts because so many are false positives. Experts call this syndrome ‘alert fatigue.”
The Dangers of Alert Fatigue
Alert fatigue is causing serious burnout among today’s analysts and others are reluctant to enter the impossibly demanding field. How do you prevent a dangerous brain drain that could leave your enterprise more vulnerable than ever to crippling attacks?
The first step in coping with alert fatigue is to make the task more manageable. According to a FireEye study, 52% of alerts are false positives and 64% are redundant. So logically, if you get rid of the false positives, the volume of alerts should become more controllable.
Is It Enough to Reduce False Positives?
What are the right methods to fight alert fatigue and how can you ensure that you are not exacerbating the security situation in other ways? Here is a list of some of the methods that SOCs are using today to reduce false positives and acquire data to handle the real threats.
SIEMs are often configured to alert based on a chain of events or a complex sets of conditions. Due to the fact that the required correlation involves multiple products and vendors for each alert, several days may pass before conditions are met to trigger the alert. Sometimes the correlation conditions configured in the rules are not matched, causing serious threats to be missed.
Some alerts are based on the aggregation principle, meaning that an alert will be signalled only if an incident occurs multiple times. While these alerts are triggered on attack patterns that often involve repetitions (like brute-force), it is important to understand that serious attacks can still slide under the radar.
3. Tuning, filtering and whitelisting
These techniques are usable when the logic in a rule is accurate, but there are often exceptions that do not merit alerts. While this may make alerts more specific, there is the risk that attackers will use previously whitelisted methods or the company may simply replace reporting devices.
4. Usage of statistics
Sometimes companies define statistical highs and lows in order to set thresholds. While using a baseline and percentages often provides greater flexibility, it is impossible to guarantee that the current baseline itself does not include malicious activities and misconfigurations.
In addition to the tactics mentioned above, there are several other methods currently being used to reduce false positives (as listed in our Wake Up Call on Alert Fatigue ebook), but across-the-board they fail to deal effectively with the root problem - the alerts themselves.
Preemptive Analysis Trumps Alert Fatigue
All of the methods above and many others fail to resolve the real problem regarding false positives: i.e., finding a scientific way to distinguish between false positives and real incidents.
Due to the ever-growing onslaught of alerts, a truly effective solution must take a different route than that of mechanical analysis. Sophisticated cyber warfare calls for surgical counter-tools that allow automated remediation. Based on sophisticated rules and machine learning, this advanced solution uses a preemptive strategy that identifies false alerts, displays the entire picture in the event of genuine alerts, and enables the system to improve independently over time.
Your security team can only win your cyber wars if you give them the right weapons. It’s your job to provide the full scenario, empower precise remediation, speed up response processes, and provide insights into future attacks. By doing your job, you’ll enable them to do theirs.
Many methods used today by SOCs fail to deal with the real problems related to incident response. Read Secdo’s Wake Up Call on Alert Fatigue ebook and learn how to effectively shred alert fatigue and drastically reduce end-to-end incident response times.