Finding that one in a million: Addressing security alert overload by applying business context

How many security alerts does a security operation center (SOC) have to deal with during an average day?  New research from Imperva claims that 27% of IT professionals reported receiving more than 1 million alerts a day, and 55% received more than 10,000 a day – or nearly 7 per minute!   

To try and address this deluge, 10% of respondents said that are hiring additional SOC engineers to assist with processing these alerts, while 57% said that they are adjusting their policies to reduce alert volume.  However, even when SOC teams take the steps to address or reduce the volume of alerts, the report found that they still face challenges in managing them.  53% noted that their organization’s SOC’s struggle to pinpoint which security incidents are critical and need attention, versus those that are irrelevant or false positives. So, it’s no surprise that 30% of respondents admitted to simply ignoring certain categories of alerts.  Worryingly, 4% said they turned off their alert notifications altogether, and more than half the respondents (54%) experienced significant stress, and expressed frustration with their jobs.

When alert fatigue hits, neglect follows

In this context it is easy to see why it could be tempting to disregard alerts. But ignoring alerts can and will lead to genuine security issues being missed, and all the resulting business, financial, legal and reputational consequences. So, what can organizations do to help reduce alert overload, mitigate the risk of a critical incident being missed, and make life much easier and happier for the SOC team?

Sorting the wheat from the chaff

One of the reasons for alert overload is that in many cases, the SOC team doesn’t have automated processes to help them quickly understand the impact of a security incident on their business.  There are, however, 3 key techniques which SOCs can use to streamline their processes, cut alert fatigue and focus actions on real security priorities:  

Visibility:  Having full visibility of the network and application connectivity, enables the security teams to respond to incidents more efficiently and effectively.  Blind spots on the network – especially as organizations move towards next-generation technologies such as cloud and SDN – can delay investigation of incidents after the initial alert.  So improving visibility across all network environments can significantly impact remediation time.

Business context:  Business context is all about connecting the technical network parameters related to a security incident to the actual, real-life, business processes and applications that the incident may impact.  Through this linkage, security professionals can prioritize and address incidents quickly, weighing up the security vs. the operational risks of potential business downtime.

Connectivity analysis:  Connectivity analysis gives respondents a deeper understanding of the potential impact of an incident, showing the scale of the security risk by indicating how far the attack could potentially spread.  For example, if a server has been infected by malware, it may try to infect other systems on the network, to exfiltrate data, or attempt to download further malicious code from external addresses.  The structure of the network and the location of the compromised network device will dictate the potential severity of the attack. So, if a server in the path of a security attack can connect to the internet, resolving the issue should be a high priority to avoid data breaches.  But if the server cannot access the internet, the risk may be lower, and therefore mitigation may not be a high priority.

Expecting SOC teams to sort manually through a million alerts each day is not practical or feasible. But by equipping the SOC with the ability to automate analysis based on the business impact, will help them find that one alert in a million that really matters.