It’s not uncommon for large enterprises to receive thousands of security alerts each month, thanks to analytics software configured to identify anomalies that may indicate a potential threat. However, an analyst is needed to look deeper into each alert to determine its validity. This has led to an industry-wide phenomenon known as ‘alert overload’ — which is only going to get worse as the technology gets better and a wider range of data sources generate more threat signals.
The overload problem occurs because “the system is unable to provide sufficient context up front to filter out the anomaly before it generates an alert, so it falls to the analyst to do that manually,” Haystax Technology Chief Technology Officer Rob Kerr told CSO in a recent interview. “This is a big problem because there are thousands of pieces of data on network logins, printer activity and building access logs. So there will be an alert when Bob — who typically works 9 to 5 every day — reenters the office at 7:30 one evening [or] prints a large file on a Sunday, accessing a file server that is normally off-limits to him.”
Kerr outlined for CSO five of the most common security analytics mistakes that trigger false positives:
- More alerts than you can process (“Turn off too many and you can miss events that are important.”)
- Only alerting for things that are happening right now (“Waiting until you see malicious activity puts your security team into response mode before they even start.”)
- Only looking at network data (“Many potentially malicious network events are more likely benign events that triggered your security analytics system.”)
- Not prioritizing alerts (“Security analytics systems that don’t effectively prioritize alerts waste your team’s time by asking them to clear low-value alerts when highly important alerts linger at the bottom of their queue.”)
- Alerts without context (“When your security team processes an alert, the first thing they will do is look for additional information that provides the context they need to clear it.”)
So what can organizations do to fix the alert overload problem? Kerr says that organizations need a system for “filtering out minor activity and highlighting the highest-priority risks has the net effect of providing enough context to drastically diminish false positives and the burdens they place on overworked analyst teams.” One such system is the Haystax Haystax Analytics Platform™, which applies multiple artificial intelligence techniques and a pioneering ‘model-first’ approach to reason like a team of analysts and prioritize risks in real time at scale for more effective protection of critical systems, data, facilities and people.
For more on Kerr’s thoughts on alert overload, check out the full piece on CSO Online. The article also appears in CIO and Network World.
# # #
NOTE: Are you attending next month’s Gartner Security & Risk Management Summit? The Haystax Technology team will be there, too. Please stop by our booth for a chat about how our Haystax Analytics Platform™ can help you solve your organization’s toughest security analytics challenges.