Earlier this year, the security team of an organisation faced the uncomfortable reality that despite their increased investments in cyber security, they were not generating the outcomes they had envisaged. The core of the issue was that their Security Operations Centre (SOC) analysts were overworked and suffering from "alert fatigue."
They’d started out with high hopes of helping to fight off cyber attackers and protect citizens’ data. In reality, they spent every day chasing down hundreds of security alerts that inevitably turned out to be false positives.
For a smart analyst, repeatedly chasing red herrings is mind-numbing and demoralising—the equivalent of making a rocket scientist teach high school physics.
And alert fatigue isn’t just soul destroying—it also kills focus. If your analysts are dealing with waterfalls of alerts, their main focus will be on the tedious process of closing out tickets as quickly as possible. Bored and primed to expect another false positive, there’s a very good chance they’ll miss the subtle signs of an intruder in your system.
Why is your SOC dealing with hundreds of daily alerts?
The false positives that make it difficult for your SOC to do its job properly are being created by a perfect storm of:
- Misguided KPIs – In the early days of cyber defence, one of SOC’s KPIs was the number of alarms. Today, to create the illusion of delivering value, some vendors still make their rules as generic as possible with the goal of generating lots of alerts.
- Outdated rules – Threat actors are constantly changing their tools and tactics to avoid getting caught. These days, the common indicators of compromise—high network traffic, after-hours infrastructure logins, multiple password attempts or admin usage—are more likely to indicate tired employees than master criminals at work.
- False information – Cyber criminals not only know how to cover their tracks, they’ve also learned to mess with your detection systems. Today’s attackers seed open-source intelligence databases with misleading information to create false positives; disguise themselves as legitimate users; and use obfuscation techniques where malicious code is padded out with the different code to fool monitoring software.
SOCs know this and are investing in broadening the scope of their detection rules to catch up. But cyber attackers are changing tactics so fast that the gap between them and their pursuers is widening.
Over the past year, organisations have experienced an 18 percent increase in security breaches, with the cost of cybercrime sky-rocketing by 26 percent. It’s incredibly difficult to prevent breaches without knowing a) how to detect them, or b) how to respond to breaches if they’ve happened.
Due to the overwhelming demand on an analyst’s time, it is possible that some alerts may be missed or not fully investigated.
How can we reduce alert fatigue and let analysts do their job?
Organisations need to focus their monitoring efforts on identifying threats that matter, while significantly reducing the amount of background noise that tortures analysts in traditional SOCs. This requires intimate knowledge of your threat.
Using tailored intelligence, based on the geographic background and motive of the attacker, significantly increases the likelihood of detection. We now have a vast amount of information on the tactics, techniques and procedures (TTP) used by criminal groups in recent cyber incidents around the world. By prioritising and mapping to the TTP frameworks of known attackers, your SOC will be able to create new, highly targeted monitoring rules built and updated frequently to detect the TTPs most relevant to your organisation.
By applying these strategies, the organisation mentioned at the beginning of this blog has reduced its alerts from 300 to 20 per day. Freed from the torment of false positives, its much more motivated analysts are now monitoring four times as much traffic. Now analysts are coming to work and tackling genuine threats, enhancing the organisation’s ability to detect the activity of the most sophisticated threat actors and contain, eradicate and remediate breaches once detected.
Is your SOC at risk?
Organisations should consider alert fatigue as a deadly threat—one that can be substantially mitigated through embedding intelligence. An intelligence-driven approach helps focus security efforts where they are needed, which has the potential to significantly reduce the time it takes to detect breaches. It will also give analysts time to perform challenging, high-value security operations like threat hunting, allowing your SOC to detect and contain attacks faster, and enabling your organisation to grow confidently.
Copyright © 2019 Accenture. All rights reserved