Companies are becoming overwhelmed with data about security alerts, and it’s hindering their ability to make informed decisions about data protection. That’s the finding of a report released by analytics firm Prelert.
The firm surveyed over 200 tech professionals, including IT administrators and managers supporting the security function, along with information security professionals. 62% of respondents to the survey are seeing too many false positives, or are faced with too many alerts to handle.
Security analytics is ranking high for customer satisfaction among enterprise security pros, according to the report. When asked what technologies offered the greatest perceived value compared to total cost of ownership, respondents ranked it joint highest with cloud data encryption and threat intelligence services.
Could security analytics be the answer?
Analytics is a concept often applied to business areas like marketing and sales, or to operational tasks like fleet management. Increasingly, though, security professionals are finding that it might be able to benefit them, too.
Just as analytics software can find patterns in the kinds of people buying red shoes, the same concept can be applied to IT logs which typically collect huge amounts of data. It can look for emerging patterns in IT logs that might otherwise go unnoticed, such as matching data egress with suspicious IP addresses, or identifying unusual traffic between servers.
It can be difficult to mine through that data to find these incidents in the first place, and even if security pros do find suspicious activity, it can be difficult to scan through all of it and work out which of it needs the most attention.
Judging from the report, this is a real problem for security practitioners. A third of respondents to the Prelert survey complained that it was too difficult to distinguish normal from abnormal activity.
This is especially difficult because advanced attackers know how to cover their tracks. They will often use conventional IT tools like Powershell to move laterally throughout an organisation, stalking through the network performing the same kinds of commands that an IT admin or even a regular non-technical employee might use. If an attacker dumps a compressed password list as a small file to Dropbox via regular HTTP traffic, would IT staff ever notice that in the logs?
Another 33% said that it was difficult to prioritize threat remediation once those threats had been discovered. Part of this can be down to a lack of context. 38% said that this, in conjunction with a lack of uncorroborated data, lowered their confidence when it came to breach detection. A full half said that there were simply too many false positives.
Government IT pros are also taking notice of this. A recent study by Meritalk, which is a public/private partnership in Virginia, polled cybersecurity pros in federal, state, and local government in the US. On average, hackers that gained access to their networks stayed inside for 16 days before being detected, the survey found.
These government pros want to take a more aggressive stance towards security in the enterprise. Three quarters of them feel they’re too reactive, and 86% of them feel that using big data for security purposes would help them to shift that balance.
Using analytics for security isn’t simply installing analytics systems and flicking the switch. Companies must have the right data sources in their network to begin with, which means installing network monitors, conducting vulnerability scans, monitoring what’s running on client devices and logging remote access and firewall data.
Many companies will already be overwhelmed with information from these sources, though, which could mean that it’s high time for them to install something that marshals all that information and produces some firm, actionable intelligence.