Avoiding Alert Fatigue: Simplify Incident Response
An FBI report released last year estimated 327,374 robberies nationwide, which accounted for an estimated loss of $390 million.
Cyber theft is not far different from the physical theft but in fact, it has become the most lucrative way of looting money with fewer trails to follow. Cyber-criminals collected $209 million in the first three months of 2016. One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses each year.
One of the biggest challenges that security teams are facing today is to keep up with the ever-evolving threat landscape. Most security tools they deploy typically flood them each day with hundreds of security alerts that demands their immediate attention. A recent survey conducted by the Cloud Security Alliance (CSA), shows that almost 50% of organizations are using 1-5 tools and 12.7% of them are using more than 20 tools. This is one reason, that security teams are plagued with a tsunami of alerts. They call this term as Alert-Fatigue. Alert-Fatigue describes a symptom where security teams are bombarded with an overwhelming amount of alerts that make it impossible for them to investigate and respond to the threats that matter.
As per Ponemon survey 2015-2016,
○ Annual cost of chasing False Positives – $1.27M
○ Number of Alerts ignored each week – 96%
○ Number of Alerts generated each week – 17K Alerts
The time that admins spent in analyzing the eventually ‘ignorable alerts’ is the time not spent in catching actual threats.
Cyber attackers find innovative ways to infiltrate an organization and can stay hidden in networks without getting detected. Be it the troublemaker Mirai or WannaCry which panicked hospitals or the most expensive Leoni and Bangladesh Bank attacks, data breaches are getting more prevalent day by day. Recent examples of WannaCry Ransomware, have clearly shown that unlike traditional cyberattacks which are designed to exfiltrate data or cause physical damages to computing systems, these ransomware attacks directly translates to money in the pockets of cyber criminals. This is just a beginning and we can expect more of such WannaCry wannabes in future.
Alert-dumping technologies are doing its job; but only partially. The infamous Target data breach clearly shows that security tools did generate alerts but then it simply shifted the problem to the admins. Security teams are made numb by too many non-action-worthy or false positive alerts dumped by various tools. If the alert stood out, it would have saved millions of dollars. What did we learn from that? It’s important for the security tools to coordinate, correlate, analyze and then raise an alert only when it needs a human action. The sooner we spot the right alert, the sooner we can contain the threats from spreading across.
The question that’s put forth before us, is how we manage the tsunami of alerts, respond to real threats and contain the malware from lateral movement. Only few security vendors have stepped up to tackle this issue.
What organizations need to look for from a security vendor is, how effective are their security alerts in terms of quantity and fidelity. Quite a few vendors have adopted Machine learning techniques to detect the highly evasive threats. It is a good thing but a system that is only based on machine learning and behavior analysis alone is not going to fix the issue to the fullest. The need of the hour is a behavior analysis based solution that can effectively integrate with your existing security infrastructure (network security, endpoint security, and log management tools) and can correlate and pinpoint the source of potentially malicious activity.
It is time for organizations to take a hard look at their security infrastructure and see if their investment in security tools help to the extent envisioned.
“What the ancients called a clever fighter is one who not only wins but excels in winning with ease.”