Avoid Security Alert Fatigue: Simplify and Accelerate Your Incident Response

June 13, 2017 by Suba Pandian
Avoid Security Alert Fatigue: Simplify and Accelerate Your Incident Response

An FBI report released last year estimated 327,374 robberies nationwide, which accounted for an estimated loss of $390 million. Cyber theft is not far different from the physical theft but in fact, it has become the most lucrative way of looting money with fewer trails to follow. Cyber-criminals collected $209 million in the first three months of 2016. One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses each year. One of the biggest challenges that security teams are facing today is to keep up with the ever-evolving threat landscape. Most security tools they deploy typically flood them each day with hundreds of security alerts that demand their immediate attention.

A recent survey conducted by the Cloud Security Alliance (CSA), shows that almost 50% of organizations are using 1-5 tools and 12.7% of them are using more than 20 tools. This is one reason, that security teams are plagued with a tsunami of alerts. They call this term as Alert-Fatigue. Alert-Fatigue describes a symptom where security teams are bombarded with overwhelming amount of alerts that makes it impossible for them to investigate and respond to the threats that matter.

As per Ponemon survey 2015-2016,

○     Annual cost of chasing False Positives – $1.27M

○     Number of Alerts ignored each week – 96%

○     Number of Alerts generated each week – 17K Alerts

The time that admins spent in analyzing the eventually ‘ignorable alerts’ is the time not spent in catching actual threats.

Cyber attackers find innovative ways to infiltrate an organization and can stay hidden in networks without getting detected. Be it the troublemaker Mirai or WannaCry which panicked hospitals or the most expensive Leoni and Bangladesh Bank attacks, data breaches are getting more prevalent day by day. Recent examples of WannaCry Ransomware, have clearly shown that unlike traditional cyberattacks which are designed to exfiltrate data or cause physical damages to computing systems, these ransomware attacks directly translates to money in the pockets of cyber criminals. This is just a beginning and we can expect more of such WannaCry wannabes in future.

Meanwhile, a number of enterprises are adapting to a hybrid model where the data center is spread across cloud and on-premise. Gartner predicts that Worldwide Public Cloud Services Market to grow 18 percent in 2017. With cloud infrastructure, enterprises target to reduce their datacenter footprints by minimizing the servers, staffs, software costs without impeding the IT capabilities and performance. So enterprises are increasingly relying on public cloud infrastructure providers such as Amazon, Microsoft, and Google for their computing resources. Cloud’s anytime/anywhere/any-config server accessibility resulted in easier exposure points for malware to gain a foothold into the systems.

Enterprise’s major security concerns over cloud data centers are about data privacy and data loss. How well are the security policies understood and implemented? Whether current security tools are adequate to protect their sensitive data and meet the regulatory compliances? These are some big questions for an enterprise CSO. This concerns, in turn, justifies the need for bringing in new security tools to cloud infrastructure. The mixture of all enterprise and cloud security tools that are deployed to guard the sensitive data usually increases the volume and velocity of threat. Often times these alerts are not correlated and resulting in causing alert fatigue to the system/security admins.

Alert-dumping technologies are doing its job; but only partially. The infamous Target data breach clearly shows that security tools did generate alerts but then it simply shifted the problem to the admins. Security teams are made numb by too many non-action-worthy or false positive alerts dumped by various tools. If the alert stood out, it would have saved millions of dollars. What did we learn from that? It’s important for the security tools to coordinate, correlate, analyze and then raise an alert only when it needs a human action. The sooner we spot the right alert, the sooner we can contain the threats from spreading across.

The question that’s put forth before us, is how we manage the tsunami of alerts, respond to real threats and contain the malware from lateral movement. Only few security vendors have stepped up to tackle this issue.

Effective Security Alerts

What we need to look for from a security vendor is, how effective are their security alerts in terms of quantity and fidelity.  Quite a few vendors have adopted Machine learning techniques to detect the highly evasive threats. It is a good thing but a system that is only based on machine learning and behavior analysis alone is not going to fix the issue to the fullest. The need of the hour is a behavior analysis based solution that can effectively integrate with your existing security infrastructure (network security, endpoint security, and log management tools) and can correlate and pinpoint the source of potentially malicious activity.

It is time for organizations to take a hard look at their security infrastructure and see if their investment in security tools help to the extent envisioned

“What the ancients called a clever fighter is one who not only wins but excels in winning with ease.”

Sun Tzu, The Art of War