Drowning in SIEM Alerts?
Many enterprises rely on security information and event management (SIEM) solutions to help detect suspicious activity on their networks. However, despite SIEM’s attempts to dedup, contextualize, and correlate sometimes millions of alerts each day, many organizations find themselves drowning in irrelevant and/or false data. The result is ‘alert fatigue’ and it increases the likelihood of your security team overlooking or missing a real threat — capable of wreaking havoc on your systems and reputation.
One of the relatively recent and high-profile cases of alert fatigue was the Target breach in 2013, which resulted in 40 million stolen payment card records, and the loss of a CEO’s job. The malware was detected, thousands of alerts fired, were reportedly seen by SIEM monitoring personnel but ignored due to millions of other alerts being received in the same timeframe. This visibility to, and fast focus on, what is a real threat is a challenge for all security teams – whether a small team with no SOC, a large enterprise with a SOC, or an MSSP that oversees many customers with a SOC.
SIEMs and other security systems collect and aggregate data from a variety of sources including Firewalls and Web Proxies, Intrusion Detection / Prevention Systems, IP/DNS Traffic Logs and PCAPs. SIEMs aggregate, deduplicate, correlate, and with more advanced systems, attempt to find the “needle in the haystack”.
However, sophisticated attacks easily game defense systems, and false positives continue to waste the time of limited personnel. Average enterprise class organizations can receive 17,000 malware alerts per week. Of that, fewer than 20 percent are worthy of examination, and only 4 percent of valid threats are actually investigated.
Why? Alerts often require human oversight and validation to confirm legitimacy. Most organizations simply don’t have the resources to recognize legitimate alerts, let alone examine them to determine root cause and infected machines quickly and cost-effectively.
Infocyte HUNT Provides Relief
What’s needed to combat alert fatigue is a triage process to investigate alerts and determine which alerts can truly be ignored and which are actionable threats that need escalation.
Infocyte HUNT provides an integrated endpoint interrogation solution to validate alerts by looking at the compromise state of endpoints. It provides ground truth – enabling security staff to vet alerts captured by your SIEM and prevent wasted time on innocuous alerts and/or false positives. SIEM alerts are often correlated from two or more secondary or tertiary security product alerts that often lead to erroneous conclusions. Infocyte HUNT surveys endpoint using Forensic State Analysis (FSA) techniques to look for irrefutable evidence of malware that has successfully bypassed traditional defenses.
Infocyte HUNT offers organizations a fast and cost-effective solution to triage alerts and combat threats, ensuring the security of your networks.
Download the Infocyte HUNT data sheet about SIEM alert validation to learn more.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »