Security alerts don't come in a slow, steady drip-drip-drip.
Instead, as any triage specialist will tell you, it's a fire hose of warnings. Dashboards show a non-stop barrage of yellow lights indicating warnings, punctuated with a few more urgent red lights.
An increasing quantity of alerts -- can we call it an increasing velocity? -- has several implications:
- A greater number of alerts should be investigated by Tier 1 InfoSec staff -- the ones usually charged with doing triage.
- Because there's a lack of qualified staff (and because there's high turnover, and replacements are expensive to hire and train), that means more alerts per employee.
- Since each employee is handling more alerts, there's greater opportunity to waste time investigating a false positive, or to miss an incident.
- Also due to overload, staff might be tempted to take shortcuts and skip some investigations.
- And because attacks can be slow moving and cross multiple silos, the fire hose might stop staff from making some correlations -- and again, missing an incident.
This isn't hypothetical. To quote from the newly released Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 17% of defenders in India reported 250,000 to 500,000 alerts per day. Of those, the study shows that only 61% of alerts are investigated -- and that 39% are being ignored.
It turns out that only 44% of investigated alerts are legitimate, which is second highest in the region, well behind the leader Australia (65%) but is better than both the global benchmark (34%) and on par with the regional standard (44%). This means a full 56% of investigated alerts are false alarms, and a vast amount of valuable work is being done on files that don't need it.
Okay, so what can be done? In a word, automation.
We need a paradigm shift, and that's to have the first round of incident investigation performed by smart software. A lot of investment is going into the use of artificial intelligence for these tasks, specifically machine learning, which can adapt on-the-fly and excels at spotting anomalies. However, the automation doesn't have to use AI and machines learning; even a relatively simple set of heuristics could pick the low hanging fruit.
The industry refers to the triage specialists within a SOC team as Tier 1 staff; when they find something, or can't make a determination, they kick the (potential) incident upstairs to Tier 2 incident responders. Let's call the triage software "Tier 0" -- it skims off the easy-to-decide alerts, and refers the others to those Tier 1 triage specialists. In this way, we can get more complete incident coverage, and the triage specialists handle fewer alerts.
This means less burnout, fewer mistakes and, hopefully, better security.
In addition, automation software can do a better job with those tricky correlations, particularly when it comes to looking at network traffic. The benefit can be greater understanding across the board. As Scott Ferguson writes in the recent Security Now special report on automation:
Instead of tracking every packet that crosses the network, automation allows the machines to keep track of data center traffic and, over time, adjust policy and procedures based on previous data -- the first real signs of machine learning at work within the enterprise. At the same time, automation helps security pros better understand attacks. With the ability to collect more data through the automation of what had been manual processes of data collection, analytics and big data analysis has gotten better at understanding and responding to the current threat landscape.
Verizon advises in its 2018 Data Breach Investigations Report: "Automate anything you can as this reduces the human error associated with many breaches we see."
That's the only way out of this mess. We are in the fire hose era of security alerts, and that's not going to change. There's no way that human investigators can handle that kind of velocity without Tier 0 automation.
- Data Breaches Costing More C-Level Executives Their Jobs
- Verizon Offers Look Inside Data Breach Investigations
- Second Equifax Employee Facing Insider Trading Charges
- IBM's USB Ban Earns Some Praise, Some Skepticism
— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.