Alert fatigue is dangerous for infosec pros not only because it wears them out; it also numbs them into ignoring evidence of a real attack. That reportedly was a factor in the 2013 Target breach.
The solution isn’t for the SIEM or similar system to deliver fewer alerts, but to push out ones with better context so the security team can make better decisions.
Easy to say but harder to do. But Joshua Goldfarb of intrusion detection vendor FireEye has come up with a solution he calls a “narrative-driven” security model to get it going. Each event needs a narrative around it — when it happened, on which devices(s) it happened on, does it look like a targeted attack and so on. Briefly, the idea is to funnel to the team a reasonably-sized queue of narratives. In a recent column Goldfarb offered a nine-step process for getting there. It’s an approach CISOs should think about:
It’s an approach CISOs should think about. The steps are:
● Identify the organization’s risks, goals, and priorities;
● Identify and fill gaps in your log and other data;
● Develop content that links prioritized risks and threats to activity;
● Improve signal-to-noise ratio to get a small number of more reliable, higher fidelity alerts based upon the content;
● Concentrate alerts into unified work queue;
● Enrich with automated supporting evidence such as the user, asset(s) and common procedural steps;
● Automate common analysis steps;
● Interleave intelligence on the threat — is it mass malware or targeted? Is a particular repetitive network activity caused by a misconfiguration, or does it match a pattern often used by a specific attack group.
● Finally, send the narrative: Ideally, far less work is now required for the analyst to make an informed decision, Goldfarb writes. “Detection is greatly improved, as alerts no longer fall through the cracks or fly under the radar. Analysts spend less time waiting for queries to return, making them far more efficient. Response is much more rapid, as the time to an informed decision is greatly reduced.”
Most alerting technologies are too noisy and show too little context, Goldbarb has written, preventing enterprises from properly understanding which alerts to focus on and in what context they fired. And forensics technologies perform too slowly to allow enterprises to rapidly assemble a detailed picture of the narrative and identify what needs to be contained.
Will his system work for every CISO? That can be answered only by looking at your organization’s history of dealing with alerts. But if you’re unsatisfied with what’s being done now