Let's take the example of famous breach that happened at Target Corp in 2013. In this breach hackers stole some 40 million Target credit cards by accessing data on point of sale (POS) systems. Target later revised that number to include theft of private data for 70 million customers. This was huge!
Target Corporation itself found out about this breach when they were contacted by the Department of Justice. They themselves were caught unaware. You know why?
“There were many missteps before the breach happened, but a big one was that Target missed 'internal alerts'!"
2-Things Went Wrong At Target:
1. While the attack was in progress, monitoring software (FireEye) alerted staff in Bangalore, India, who in turn notified Target staff in Minneapolis. No action was taken because these alerts were included with many other likely false alerts.
2. It also appeared that at least some of the company's network infiltration alerting systems were turned off to reduce false positives.
Trust me, Alert fatigue is a real problem in IT Security. This makes security analysts to click through 'events' looking for the smallest reason they can find to DISMISS the event so they won’t need to escalate, or further investigate, the issue.
You all know that one innocent looking event could put you on the trail of a bad actor in the environment. Each event must be investigated thoroughly to make sure that there is no evidence of an incident. But Alert fatigue forces security analysts to go in the opposite direction...
-
Any big company is seeing 10000+ new alerts every day. What would you do when 50-60% of these alerts are 'False Positive' or total of 60-70% of alerts are actually redundant? Do you expect to see all these alerts manually? If you do, then just think of what is going to happen to your security analysts in SOC. They would be extremely overloaded. They simply won't have enough time to investigate alerts which do matter to the organisation. Right?
Thus, reducing alert fatigue should always be a goal you pursue in IT security, but there’s more to it. A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends.
Deploying A Good Security Solution is NOT ENOUGH
A good security solution should use 'context' of the alert to give you the best of both worlds -- fewer, higher quality alerts.
It should drive your team to the events that most need attention via 'strong prioritization'.
It would track all the internal data of your network, but it must & will ingest Threat Intel from various external sources too.
A company needs to identify what threats are relevant to them because of the systems they use, the data they have, and their threat profile. For example, a retail company that deals with both online and in-store sales would want to alert on :
-
threats to their e-commerce platform
-
threats to POS systems
-
Threats reported by an industry-specific information sharing group, such as the R-CISC
-
General threats to Windows systems - including ransomware, credential theft or malware
-
Custom alerts based on things that they have seen in their environment before
-
THERE IS ONE MORE IMPORTANT STEP: TUNING
This seems obvious, but it is often overlooked. Let me first tell you what I mean by tuning.
Tuning is a combination of STEPS which you take to:
Each of these steps will help your analyst by refining alerts being looked into.
VERY IMPORTNAT :
Tuning needs to be a balanced approach that will reduce the number of unnecessary events received and ensure that there are no blind spots an attacker can take advantage of to slip by unnoticed.
The first step of tuning is to figure out what is important to alert on and what is not.
In my opinion there is a big section of alerts that can be immediately kicked out of the analyst’s queue. For example, Blocked attacks. These are attacks that are actually blocked by your security technology which is guarding the perimeter and internals of the network and endpoints. BUT when alerts that say something was blocked, need not to be sent to security analysts.
-
What Alerts Do You Care About?
Removing blocked attacks helps the analyst pay more attention to potential incidents that were not stopped. After you’ve done that, the next matter of importance is: what alerts do you care about? To determine that takes a bit of research. You need to determine what impacts you the most, down to what could be a threat but may, or may not, be worth investigating.
That involves knowing:
-
where sensitive information is located
-
how it can be accessed, how it should be accessed (two very different things)
-
who has access
-
what traffic is normal on the network
-
what should be on the endpoints, (the security baseline for endpoints)
-
and many other variables
-
Then you truly start your TUNING.
You begin with establishing the Baseline (what is normal in your network?)
Then you decide upon the type of Threat Feeds you would need. In order to establish your company's threat landscape, you may filter out some noise by using GrayNoise.io also. In order to determine what alerts are valuable you need to know what is worth investigating. You need to know what the threat landscape is for your industry and your organization specifically. Once you have that information you will have a good idea what you should be on the lookout for. This is your threat landscape. If you take your threat landscape and apply that to the baseline of “known good” you will have a good idea of what alerts you need, what alerts would be useful, and how to configure those alerts to your organization. This, just like your baseline, is not a static target, and you must stay up to date on new threats and information. Once again, adaptability is key for success.
I recommend implementing your own CUSTOM alert 'rules' in a testing environment first, while making sure that you are the only one monitoring the new alert. That way you can tune your rule before you start acting on it. Doing it this way can help ensue you will deliver a rule that can be trusted immediately.
Always keep in mind the goal of tuning is to protect your organization. This is only achievable when alerts are able to be investigated in a timely manner and analysts are able to look through events without doubting the validity of the alerts or becoming overwhelmed by the volume of alerts.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM