Alert fatigue is dangerous for infosec pros not only because it wears them out; it also numbs them into ignoring evidence of a real attack. That reportedly was a factor in the 2013 Target breach.
The solution isnโt for the SIEM or similar system to deliver fewer alerts, but to push out ones with better context so the security team can make better decisions.
Easy to say but harder to do. But Joshua Goldfarb of intrusion detection vendor FireEye has come up with a solution he calls a โnarrative-drivenโ security model to get it going. Each event needs a narrative around it โ when it happened, on which devices(s) it happened on, does it look like a targeted attack and so on. Briefly, the idea is to funnel to the teamย a reasonably-sized queue of narratives. In a recent columnย Goldfarb offered a nine-step process for getting there. Itโs an approach CISOs should think about:
Itโs an approach CISOs should think about. The steps are:
โ Identify the organizationโsย risks, goals, and priorities;
โ Identify and fill gaps in your log and other data;ย
โ Develop content that links prioritized risks and threats to activity;ย
โ Improve signal-to-noise ratio to getย a small number of more reliable, higher fidelity alerts based upon the content;
โ Concentrate alerts into unified work queue;
โ Enrich with automated supporting evidence such asย the user, asset(s) and common procedural steps;
โ Automate common analysis steps;
โ Interleave intelligence on the threatย โ is it mass malware or targeted?ย Is a particular repetitive network activity caused by a misconfiguration, or does it match a pattern often used by a specific attack group.
โ Finally, sendย the narrative: Ideally, far less work is now required for the analyst to make an informed decision, Goldfarb writes. โDetection is greatly improved, as alerts no longer fall through the cracks or fly under the radar. Analysts spend less time waiting for queries to return, making them far more efficient. Response is much more rapid, as the time to an informed decision is greatly reduced.โ
Most alerting technologies are too noisy and show too little context, Goldbarb has written, preventing enterprises from properly understanding which alerts to focus on and in what context they fired. And forensics technologies perform too slowly to allow enterprises to rapidly assemble a detailed picture of the narrative and identify what needs to be contained.
Will his system work for every CISO? That can be answered only by looking at your organizationโs history of dealing with alerts. But if youโre unsatisfied with whatโs being done now
Related Download
Sponsor: Acquia
Can we save the open web?
Join the creator of Drupal, Dries Buytaert, in a discussion about the webโs evolution, how we can put the power of the internet back into the hands of the people, and how you can prepare your organization.
Register Now