Can you be too alert to threats?

Are you paying for alarms that routinely get ignored? Alarm fatigue compromises your readiness.

By Bill Clark

Fri 12 Apr 2019 @ 16:45

Keeping an organisation’s IT infrastructure up and running is a major challenge. Keeping it secure is even more difficult. However, it’s absolutely essential. But your security operations centre and your cybersecurity team may be too ‘alarmed’ to be effective.

A Cisco study found that 44 per cent of security alarms are never investigated. Of the 56 per cent of alarms that are investigated, 28 per cent are found to be legitimate.

Of the legitimate alarms, 46 per cent are remediated with the remainder left unrectified.

If one extrapolates from the legitimate alarms that are identified, that means about a quarter to a third of uninvestigated alarms may represent legitimate threats that get away with their wicked deeds.

So why would these alarms go uninvestigated?

Too much noise. Too many false alarms. Too little information.

It’s no secret that the cybersecurity skills shortage means companies have a hard time filling positions in their security teams. Of the staff that are there, 79 per cent say they have too much work and too little time to deal with the workload. That has real consequences for security.

A survey conducted by the Cloud Security Alliance found that almost 32 per cent of respondents ignore security alarms because they have too many false positives. Meanwhile, more than 40 per cent of respondents found that the alarms they received lacked sufficient data to be actionable.

Too many alarms overwhelm staff and they either can’t keep up or, worse, stop trying to address them. For example, the Sony data breach of 2015 was identified by systems as malicious activity and an alarm was sent. The alarm was one of 40,000 at the company that month.

Another issue is that there are too many systems to deal with. Of the enterprises responding in the CSA survey, half are using between one and five tools that produce alarms. The rest are using more, with 13 per cent using more than 20 tools, all firing off alarms.

Navigating crowded waters

By using user and entity behaviour analytics (UEBA), security professionals will have fewer false alarms to deal with. UEBA looks for unusual activity in the system based on actual use patterns. Alarms aren’t triggered because of a generic rule. This can reduce false positives and improve the rate of false negatives (when a genuine incident escapes detection and does not trigger an alarm).

However, some false positives are still likely to happen. It’s best practice to investigate those as you would any alarm and learn from them.

Because it’s not possible to eliminate the possibility of false positives, how can you minimise the fatigue they cause?

As mentioned earlier, another cause of alarm fatigue is when analysts have an alarm but no intelligence to act on. Next-generation SIEM systems ranks potential threats, lists them by urgency. Analysis of system and network behaviour means that alarms can be responded to more quickly.

A good SIEM system should bring the full picture of the organisation together into a single-pane view. Using multiple tools that produce alarms means your SOC staff can never get a complete overview of the organisation. Flipping from one application to another, perhaps even having to physically move to another screen, all while trying to piece it together in their head, increases the chance of errors.

Maintaining balance

Cybersecurity is hard work. Your staff know it and so do you. It’s good business to make their job as easy as possible. Reducing the volume of alarms means they’re going to be able to respond when it really matters.

Learn more

Learn how LogRhythm strikes the right balance, so that your SOC staff remain at peak performance.