The Alert-Overload Problem
Companies invest billions of dollars in hardware, software, and services to protect their networks, applications, and data against devastating cyberattacks. From firewalls and intrusion prevention to anti-virus and end-point security, these technologies alert security professionals of anomalies, threats, and breaches so they can apply safeguards and thwart attacks before any damage is done.
However, this mass of technology has created a daunting challenge for IT security personnel. Each of these tools and applications generate alerts to indicate when something out of the ordinary may be occurring – though, most of the time, the alerts are false positives that don’t represent real threats. If you multiply those alerts – false positives and all other alerts – by the number of systems across a single network, it’s easy to see how incident-response teams become inundated with thousands of alerts per day, most of which are redundant or false positives.
The alert-overload challenge has been an ever-increasing problem for security professionals and, until now, they’ve only had a few options to address the issue:
- Reduce the volume of alerts by narrowing the alert criteria or even turning off specific features in a given security application;
- Manually cherry-pick the alerts for investigation;
- Hire more incident-response personnel to investigate the growing volume of alerts; or
- Ignore the alerts altogether – the worst possible outcome of alert overload.
The first two choices create significant security vulnerabilities. While most of the alerts are unlikely to indicate an actual threat, they still need some level of review to ensure there isn’t a deeper issue. Narrowing evaluation criteria, turning off security features, or arbitrarily deciding which alerts are significant creates the very real possibility that an actual threat will get through. Hiring the necessary number of qualified, experienced personnel to review, investigate, and analyze such a large number of alerts is expensive, resource-intensive, and prevents organizations from providing the best level of service and security. And, as for the last option, ignoring alerts from solutions deployed to protect is both highly dangerous and a waste of technology investment.
Traditional security information and event management (SIEM) solutions have tried to solve this problem by providing a deeper level of insight into alerts and anomalies as they happen. Security event orchestration technologies took SIEM a step further by helping companies “reduce the time to research a given incident.” But with both classes of solution, the incident-response teams are still left with an unmanageable volume of alerts to investigate.
The only way for enterprises and MSSPs to break out of this “tyranny of alerts” operating model is to solve the alert-overload problem, so they can focus their personnel on solving actual problems rather than wasting time on false positives.