The Boy Who Cried Wolf Chinese

[Jermale Kunstler]

Notonly must security pros contend with ever-increasing attacks to their networks, they also must finagle the tool sets guarding their systems to make certain settings are as they should be, reports Greg Masters.

The results of an April 2017 study, "A Day in the Life of a Cyber Security Pro," an Enterprise Management Associates info brief written by David Monahan for Bay Dynamics, illustrates the challenge: Respondents identified that they have to deal with a large number of vulnerabilities in their organizations. On average, 10 vulnerabilities exist per system. In fact, nearly three-quarters of security teams stated they were overwhelmed by the volume of vulnerability maintenance work assigned to them.

One issue is that alerting systems, such as security incident and event management (SIEM) systems, often don't come equipped with the data required for security pros to make informed decisions, the EMA study found. "This creates a situation where too many alerts are created, with the highest priority then requiring additional work by analysts to make a proper reprioritization."

Those queried for the survey said they have to manually reprioritize over half of the threat alerts they receive. Obviously, this creates more work and adds considerably to the stress factor, the report said.

Kevin Reid (left), VP of national security and CIO at KeyLogic Systems, says alert fatigue is like the boy who cried wolf: "If there are too many similar alerts that end up being empty threats, eventually IT security teams will just ignore the warnings," he says.

A great example of alert fatigue resulting in a widespread attack is the Target breach, he points out. "Leading up to this attack, the security team was consistently seeing the same, empty malware alerts, so they grew numb to the notifications and ignored the warning when there was a real intrusion."

Another challenge Reid sees is the bulk of data, which, he predicts, is only going to continue increasing. "Even if an alert isn't received, security teams get a report of abnormalities within their system that need to be analyzed. However, as the amount of data grows, so do these reports, making them more difficult to examine for threats.

When a security analyst suspects a true positive there are a number of processes to follow to initiate an information security incident, Holt adds. "Some analysts are concerned about making mistakes if they report too many alerts, leading to a potentially costly mistake if a true positive isn't dealt with in a timely manner."

For Dan Lohrmann, CSO and chief strategist at Security Mentor, alert fatigue challenges can be grouped into the traditional buckets of people, process and technology: The people part of the pie involves the long hours doing the same role and functions, he says. Along with that comes improperly trained staff with not enough experience or not knowing how to use tools.

With process issues, Lohrmann points to an improper distribution of workload and/or alerts, an improper categorization of specific alerts types, and problems with alert levels or classifications, such as too many high level alerts.

As far as the technology piece, Lohrmann points to wrong tools (old legacy, too many alerts, not enough alerts, etc.), multiple tools that don't work together, and not a wide or specific enough view of data, threats, etc. That is, lacking is a national or global perspective that comes with Information Sharing & Analysis Centers (ISACs) and other global data trend information.

Lenny Zeltser (left), vice president of products at Minerva, points out that the global shortage of IT security personnel results in many teams tasked with handling the alerts being understaffed and overworked. "This factor, combined with the overwhelming number of alerts that need to be handled on an ongoing basis, creates an imbalance. In turn, many important alerts go unnoticed or are disregarded even though they could be the indicator of an actual attack."

"This requires IT security to investigate such alerts, but the volume and vectors have grown beyond the finite resource of most organizations. Consequently, some alerts start to slip and go uninvestigated."

The Sony breach of 2015 demonstrated this challenge, MacFarlane points out. "While the tools were able to identify the malicious activity, those alerts were lost in a sea of 40,000 other alerts that same month. With a limited security staff, some malicious activity went uninvestigated until the inevitable happen."

A good security team will want to collect as much information as possible about the systems they protect, says says Chris Simpson, academic program director, BS Cybersecurity, National University, School of Engineering and Computing. However, he adds, this is a double-edged sword as they collect more data than they require so more resources are needed to understand the data.

"Alerting is used to bring important information to the attention of a security team,"Simpson says. "Alert fatigue can occur when a system generates so many alerts that the operator can't prioritize or respond to all of the alerts. For example, an alert can be generated if a user has a failed login attempt, and when many of the alerts are false positive this causes the security team to miss valid alerts."

A recent survey conducted by the Cloud Security Alliance highlights the large number of alerts that organizations deal with, Simpson says. The survey noted that 2.7 billion events were generated by the average enterprise using cloud services. Of these events, 2,542 on average were anomalous of which 23 were actual threats. The survey also noted that 32% of the respondents ignored alerts due to the large number of false positives.

The Target data breach is an example of alert fatigue that allowed a data breach to go undetected, Simpson explains. "Target had the right technology in place and received valid alerts that malware was inside their system. However, because the system was new and they had received excessive alerts they were unable to properly handle the alerts. This affected millions of customers, cost Target millions of dollars and lowered consumer confidence.

Many assume the biggest and only challenge IT security personnel face in dealing with alert fatigue is the overlooked threats that gets by among the sea of alerts, says May Wang (right), CTO and co-founder, ZingBox. "Unfortunately, that is not the only damaging result of alert fatigue. Due to the sheer volume of alerts, many IT staff are forced to define their own unique criteria of what's worth the time to investigate and what is not. Organization's exposure to specific threats can vary greatly from hour to hour based on the shift of the IT staff. It can also vary greatly across organizations even when they employ the same security solutions. The inconsistent security coverage resulting from this practice can often pose a bigger risk than few threats that may get overlooked."

Unfortunately, alert fatigue will not go away any time soon, Wang says, adding that many organizations have come to expect false positives as a sign of comprehensive security coverage during proof of concept. "When presented with X number of threats, detection of anything less than X number of threats is frowned upon. However, detection of more than X number of threats, as long as the specific threats are detected, is often considered a successful evaluation. Some security vendors are leveraging this unfortunate misconception and very much focus on 'lighting it up' during product evaluations."

There are all kinds of tools available today, but it all comes down to having the right IT network monitoring, including security monitoring capabilities, fault management, configuration, performance and security management, says Reid. Finding the tools for your organization isn't the challenge, he explains. Many have all the necessary solutions, but are still at risk due to poor implementation.

"Parameters need to be set on all intrusion alert tools to get rid of false alarms and ensure real threats don't go unnoticed," Reid says. "This idea of a monitoring philosophy must be defined from the start, outlining thresholds and triggers so that security teams know alerts are actually alerts, not just some sort of vulnerability or malfunction within the tool."

Additionally, with the increase of data, businesses can expect security teams to capture and monitor everything, there just isn't enough time or people to do it, Reid says. "With this in mind, security tools need to be updated to leverage AI that can support the security professionals in monitoring for accurate and real threats."

Holt advocates for security information and event management (SIEM) software that is already being used by many organizations to help. "This provides security analysts with a holistic view of alerts from multiple event logs," she says.

However, depending on reach, SIEMs can be costly to deploy and complex to operate and manage, she admits. "To combat this, some organizations use SIEM service providers, which are paid for on a usage basis. However, SIEM can still result in alert fatigue."

Although it may be beneficial to outsource the identification of potential attacks (i.e. review security alerts), few organizations outsource the investigation of these alerts, Holt says. "This is because outsource providers do not generally have the intimate, overarching view the organization has over its environment."

As more organizations invest in their security programs, deploying additional tools to bolster their layers of defense, they create more visibility to the security posture of their entire network, says Nathan Wenzler, chief security strategist at AsTech Consulting. "This, of course, is most commonly done through the huge volume of events and alerts which are generated by the activity detected from endpoints to network infrastructure devices to applications and user activities."

He too points to security information and event management (SIEM) tools, which, he says, were meant to aggregate the millions upon millions of events generated and allow security professionals and administrators a way to filter through the noise to find the most important, high-priority events that needed attention. "But, even these tools can struggle to bring only the most pertinent items up to the attention of those who need it, leading to huge volumes of alerts that must be reviewed and dealt with almost constantly."

3a8082e126