Trying to keep your networks safe and secure is a never-ending battle. While you want alerts to flag potential threats, the majority of security professionals suffer from the sheer volume of alerts they get.
A survey found that 83% of security operations center (SOC) teams suffered from alert fatigue and juggling a complex cybersecurity ecosystem that seemed to grow daily. SOCs dealing with alert fatigue is no surprise. The majority of alerts are false positives or benign, and their mounting number means many are simply never followed up. McKinsey reports that 60% of enterprise-level SOC analysts triage fewer than 40% of log data.
For many companies, the response has been to add to the tech stack with additional cybersecurity tools, which may actually increase the number of alerts generated. However, it doesn’t have to be that way. Adding best-in-class tools can help prioritize and segment alerts, reduce the volume of false leads, and surface higher-priority issues so you can accelerate your triage.
The push for greater network visibility
Visibility is at the heart of every cybersecurity infrastructure. Finding and addressing security gaps is essential to hardening your network. But this has become increasingly more complex as organizations add multi-cloud and hybrid clouds and as the workforce becomes more and more distributed.
This push for greater and more granular network visibility is also yielding a huge amount of data and increasing alert fatigue.
Increasing visibility without increasing alerts
Increasing visibility without increasing alerts requires the right cybersecurity ecosystem and a different approach to automating and scoring potential threats.
Prioritizing and triaging
High-profile data breaches and ransomware attacks grab the headlines seemingly daily, but they’re somewhat rare events. In the absence of such incidents, most threats pale and fail to register. To overcome this lack of information, IT teams often raise the threshold on what events their cybersecurity tools should classify as threats, leading to even more alert fatigue.
Getting this balance is crucial because it’s often the second-tier events that are most dangerous. They don’t get top priority for investigation and mitigation, especially for busy and understaffed SOC teams. Hackers also know you’re more likely to focus on high-level threats, so they go after smaller or medium attacks that can also do damage. Without the right cybersecurity tools, you may never even get to these lower-level threats.
Another challenge is emerging threats. Often, event scoring on these types of threats is low because they have never been seen before, so there is no previous data to model. Alert fatigue causes these events to be missed because they won’t rise to the top of the list. The right automated security tool can fill in existing gaps or replace current processes to help you navigate this balance better. This approach can provide the network visibility you need without increasing the volume of alerts.
Adding another best-in- class tool does not have to mean adding to the number of alerts. The right cybersecurity platform can result in a more robust solution without adding to alert fatigue. The right tools can correlate events, creating a new level of event tracking without the barrage of alerts.
Correlating network threats
Another significant challenge is the separation of data—or missing pieces of data—in alerts. Clues may be hidden in multiple places, and each may not raise the threat level. Taken together, however, these pieces of data may complete the puzzle or enough of it to raise the level of awareness.
It’s easy for data like this to get missed in the cybersecurity ecosystem without a way to aggregate and correlate network threats. Often, threat actors will work in stages testing attack surfaces. It’s only when you're aware of the sequence of events as they move across different MITRE ATT&CK stages that you see the relevance.
Collective Defense
While machine learning algorithms can be trained to recognize patterns, their ability is limited to the data they possess. For example, artificial intelligence (AI) tools have become very good at visualizing mammograms. A study in the journal Nature found that the AI could detect cancer at a higher rate than a doctor. There was also a 2.7% reduction in false positives.
However, a person’s doctor has access to other data points—such as age, lifestyle, and previous medical history—that may be relevant to a patient’s condition. Such knowledge would be crucial to fine-tuning the review process but may not be available.
With cyber threats, bringing in additional data points can have the same effect. What may appear benign may indeed be a warning sign of something other SOCs are seeing across the industry. By comparing notes with peers, you can better identify incidents, especially emerging threats.
We call this Collective Defense.
Security professionals work together to detect and exchange anonymized intelligence in real time, helping identify and isolate threats for the entire community. Once one enterprise in the collective sees suspicious activity and confirms it as a viable threat, that information is exchanged anonymously with everyone else.
Not only does this help with alerts prioritization, but it also helps train machine learning models to provide better intelligence going forward, adjusting scoring models and reducing false alerts.
Rising threat levels require new cybersecurity solutions
With cyberattacks more than doubling over the past three years and increasing by 50% last year alone, the threat level has risen. At the same time, there’s significantly more activity backed by nation-states, making it extremely challenging for security operations teams to keep up. As such, malicious threats are going undetected or ignored due to the sheer volume of alerts.
Reducing the number of alerts so that SOC teams can focus on the right ones is essential.
To learn more about how to rule out false positives using automated correlation-based detection, download our white paper, A practical way to rule out false positives. To learn more about the concept of Collective Defense or how IronNet can help protect your networks and reduce alert fatigue, connect with the cybersecurity experts at IronNet to request a demo.
