As we have seen with cases like the Target breach, failure to adequately investigate and effectively react to security alerts can have devastating consequences for businesses and customers. Security professionals today have to deal with an escalating number of risk alerts to better manage and prioritize alerts and their response to them.
This is a growing concern for many organizations as the volume of security alerts is frequently the prevailing factor in high-profile data breaches. Alerts can number in the thousands, or tens of thousands, a month. According to a survey by International Data Corporation (IDC), 37 percent of cyber security professionals reported facing 10,000 alerts per month of which 52 percent are false positives. The end result is a swamped staff.
But despite the overwhelming volumes, staff can cut through the noise and better-manage cyber security alerts by:
Refresh Staff – On a given day, cyber security professionals are vastly outnumbered by alerts. A business with three full-time personnel can face 300 alerts a day, the IDC study found, also noting more than 35 percent of companies spend 500 hours a month responding to alerts. It’s little wonder cyber security staffs are exhausted—which is exactly what cyber criminals are counting on. Simply hiring more people to manage the ever increasing volumes is not a solution.
Instead, build a better-organized team of rotating, rested personnel to prevent fatigue against alert volume. For a small company with a small staff, the Financial Industry Regulatory Authority (FINRA) has recommended partnering with a managed security services provider (MSSP), and this guidance holds true across industries.
Behavioral Analysis – Analytics that detect but do not prioritize alerts, are giving way to big data, behavioral analytics-based threat detection and cyber defenses that help staff prioritize by utilizing more operationalized intelligence. Behavioral analysis expands what cyber defense can achieve by using business specific historical data to understand normal behavioral patterns and detect anomalous activity. This provides more affective, prioritized alerts and quicker decision-making. This approach moves beyond simple signature detection which flags everything so that your staff is focused on the most important (i.e. most dangerous) events.
Automate and Streamline Responses – Operationalizing cyber response is critical in an environment in which, according to the same IDC survey, more than 40% of cyber security professionals still review alerts manually. Security personnel have many competing priorities, including analyzing alerts. Limit analysts to judging alerts and defending the company, not responding to them. Response is better handled either by your infrastructure team or by a separate incident response team that has well-thought-through remediation plans for different types of attacks. Let your security analysts focus on what to do to keep your company secure and leverage others to do the work. In this design, correlating alerts with relevant threat intelligence and analysis tools maximizes the effectiveness of the analysis stage. Automatically capturing relevant information, managing workflow, and seamlessly integrating into ticketing systems quickly frees your analysts to deal with the next threat. By effectively prioritizing threats and minimizing the pre-analysis and post-analysis activities your security analysts can best defend your company.
As the number of cyber attacks increase exponentially and these attacks become more complex, the volume of alerts facing today’s cyber professionals will only continue to grow. To effectively manage cyber security alerts volume, rethink everything about cyber security. Alert monitoring should entail a thorough assessment of effectiveness and a realization that increasing volumes cannot be managed by a staff already overwhelmed. Consider proactive testing, refreshing policy and outsourcing to manage volume. The companies that do will be better able to cut through the noise – to identify and act on their most critical cyber threats and operationalize their defenses.