Prevent alert fatigue with actionable threat intelligence
Suspicious. Suspicious. Suspicious. You scroll down as you sift through your thousandth false positive today. And it’s not even noon. You take a small break, after one last glance at the screen. After all, no real threat has been detected in months. What could go wrong?
As you walk away from your screen, the malware attack that has been testing your defenses for weeks finally breaks in…
If only you had tracked those IPs earlier. If only your perimeter defenses were up. If only you hadn’t ignored those alerts! Yet, if it’s any consolation, it could have happened to anyone. In fact, according to the Cisco Security Capabilities Benchmark, four out of 10 security alerts are never investigated and, out of 5,000 daily security alerts, more than 600 legitimate ones are ignored. The main culprit? Alert fatigue!
The Burden of Data
Alert or alarm fatigue is when a large number of alerts, received over an extended period, desensitize the people tasked with managing them. This eventually leads to missed or ignored information or severely delayed responses to actual incidents. When it comes to SOCs, alert fatigue can also lead to severe employee burnout.
In the world of cybersecurity, Big Data is indeed “big” - 27% of organizations receive more than 1 million security alerts per day. This not only creates alert fatigue for security professionals, but also keeps them from performing other vital functions for their customers.
Under these circumstances, it’s no wonder the same Cisco study claims organizations can’t investigate more than 56 percent of security alerts. This has become more pervasive since enterprises have moved their businesses into the cloud, generating thousands of daily transactions.
The second issue is that a massive number of these alerts are false positives. In the past 10 years, a lot of data breaches come with explanations such as “one of our systems detected the issue but was ignored.” A team consisting of a handful of people simply can’t go through that much data every day. A good example is the massive 2013 Target data breach which, according to a research paper, could have been prevented -- not one, but multiple detection products issued warnings.
So, what can be done to prevent alert fatigue and minimize its potentially damaging effects? It may come as a surprise, but the key is threat intelligence!
Alert Management and TI – A Winning Combination
Alert management is a process that many SOCs use or aim to implement. It’s generally based on a “prepare, react, resolve, and learn” model and can greatly speed up the analysis of security intelligence.
Useful as it may be, alert management can’t really sort through the countless alerts a system receives. That’s where threat intelligence comes in.
Threat intelligence (TI) provides timely, rich information that can influence decision-making and alert management. Crucially, threat intelligence provides relevant information.
Threat intelligence can help manage alerts from the “prepare” phase as it offers information not just about threats, but also about the environment they operate in. That malware attack? It could have easily been prevented from the early stages if a TI solution had recognized its source as being a proven source of malware, rather than just a “suspect”.
In other words, threat intelligence helps by connecting the dots between constant alert activity and relevant external threats. This narrows the area for investigation, and warns the security professional if an alert has escaped his or her watch.
Choosing the right solution
While most threat intelligence solutions can offer information about a wide range of threats, you need to look for one that can not only deliver the right information, but also deliver it in the right format and at the right time. Look for threat intelligence that can be automatically ingested and included in the decision-making process.
Supported by 18 years of experience and fed by hundreds of millions of sensors, Bitdefender’s new Advanced Threat Intelligence eliminates long-standing blind spots for security analysts and delivers real-time insights into the cyber-threat landscape to Security Operation Centers (SOCs) of all types.
Our unique, platform-agnostic approach, compatible with any SIEM familiar with consuming a REST API, lets other security professionals integrate our cyber-threat intelligence in minutes on any platform or infrastructure. Moreover, it supports the latest version of the STIX&TAXII protocols.
Alert fatigue is a widespread issue that can affect your company, your employees, and your clients. A threat intelligence solution would save your security professionals a lot of time and your partners and clients a lot of worries.