When it comes to incident detection and response, enterprise organizations are collecting, processing and analyzing more security data through an assortment of new analytics tools—endpoint detection and response (EDR) tools, network analytics tools, threat intelligence platforms (TIPs), etc.
When each of threat management or security analytics tools sees something suspicious, it generates a security alert, and therein lies the problem: Enterprise organizations are getting buried by an avalanche of security alerts. According to ESG research:
- When asked to identify their top incident response challenges, 36 percent of the cybersecurity professionals surveyed said, “keeping up with the volume of security alerts.”
- Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up with the volume.
- When asked to estimate the percentage of security alerts ignored at their organization, 34 percent say between 26 percent and 50 percent, 20 percent of cybersecurity professionals say their organization ignores between 50 percent and 75 percent of security alerts, and 11 percent say their organization ignores more than 75 percent of security alerts. Mama Mia, that’s a lot of security alerts left on the cutting room floor.
All told, the ESG data indicates that cybersecurity professionals are struggling to keep up with security alert volume and are doing their best to identify, prioritize and address the most critical of the lot. This makes it fairly easy for cyber adversaries to hide stealthy attacks, circumvent security controls and fly under the radar through a pervasive security alert storm.
The security alert scramble described above may be a testament to cybersecurity professionals’ dedication, but it can’t be considered a best practice by any measure. What can organizations do to address and improve this fire drill approach?
1. Talk to SIEM vendors and its customers. Let’s face it, SIEMs can be complex, and many organizations remain behind in software revision levels, custom rule sets and configurations. Those organizations falling behind would be well served to reach out to their SIEM providers for help. Vendors such as AlienVault, IBM, LogRhythm, McAfee and Splunk offer professional services and can pull from their experience across thousands of installations. Beyond the vendors themselves, it can be worthwhile to join customer groups to hear more about best practices, lessons learned and success stories.
2. Consider new types of products based upon machine learning. These tools are meant to compare, enrich and contextualize disparate security alerts to sort real cyber attacks from basic security alert noise. For example, products from vendors such as Caspida (Splunk), E8, Exabeam and Niara (HP) are designed to work their machine learning magic and then aggregate security alerts so that security teams have a breadcrumb trail of events and alerts indicating real security issues. Note that this technology remains immature, so the principle of caveat emptor truly applies here.
3. Consider incident response automation and orchestration. Security operations is often challenging due to a reliance on tedious processes, informal collaboration between security and IT operations teams, and manual remediation actions. To improve productivity, CISOs should look at orchestrating processes (i.e. human-to-human, machine-to-human, machine-to-machine) and automating investigations and remediation tasks. This space is white hot, so there are many commercial tools (Hexadite, Phantom, Resilient (IBM), Siemplify, ServiceNow, etc.) and open-source software options (Netflix FIDO, RTIR, etc.) available.
4. Get help. Let’s face it, triaging, prioritizing and investigating security alerts isn’t easy. And it’s only getting more difficult. CISOs should honestly assess their staff’s ability and know when to throw in the proverbial towel. Managed service providers such as CSC, FireEye, Unisys, SecureWorks, Symantec and Verizon can help here.
It is also worth noting that the global cybersecurity skills shortage precludes any organization from simply hiring their way out of this mess. CISOs must do something soon before the volume of security alerts simply buries the security operations team.