False Alarm or Real Threat? The Dangers of Alert Fatigue
This post was last updated on August 10th, 2021 at 06:04 pm
Drowning in SIEM Alerts?
Many enterprises rely on security information and event management (SIEM) solutions to help detect suspicious activity on their networks. However, despite SIEM’s attempts to dedup, contextualize, and correlate sometimes millions of alerts each day, many organizations find themselves drowning in irrelevant and/or false data. The result is ‘alert fatigue’ and it increases the likelihood of your security team overlooking or missing a real threat — capable of wreaking havoc on your systems and reputation.
One of the relatively recent and high-profile cases of alert fatigue was the Target breach in 2013, which resulted in 40 million stolen payment card records, and the loss of a CEO’s job. The malware was detected, thousands of alerts fired, were reportedly seen by SIEM monitoring personnel but ignored due to millions of other alerts being received in the same timeframe. This visibility to, and fast focus on, what is a real threat is a challenge for all security teams – whether a small team with no SOC, a large enterprise with a SOC, or an MSSP that oversees many customers with a SOC.
SIEMs and other security systems collect and aggregate data from a variety of sources including Firewalls and Web Proxies, Intrusion Detection / Prevention Systems, IP/DNS Traffic Logs and PCAPs. SIEMs aggregate, deduplicate, correlate, and with more advanced systems, attempt to find the “needle in the haystack”.
However, sophisticated attacks easily game defense systems, and false positives continue to waste the time of limited personnel. Average enterprise class organizations can receive 17,000 malware alerts per week. Of that, fewer than 20 percent are worthy of examination, and only 4 percent of valid threats are actually investigated.
Why? Alerts often require human oversight and validation to confirm legitimacy. Most organizations simply don’t have the resources to recognize legitimate alerts, let alone examine them to determine root cause and infected machines quickly and cost-effectively.
Infocyte HUNT Provides Relief
What’s needed to combat alert fatigue is a triage process to investigate alerts and determine which alerts can truly be ignored and which are actionable threats that need escalation.
Infocyte HUNT provides an integrated endpoint interrogation solution to validate alerts by looking at the compromise state of endpoints. It provides ground truth – enabling security staff to vet alerts captured by your SIEM and prevent wasted time on innocuous alerts and/or false positives. SIEM alerts are often correlated from two or more secondary or tertiary security product alerts that often lead to erroneous conclusions. Infocyte HUNT surveys endpoint using Forensic State Analysis (FSA) techniques to look for irrefutable evidence of malware that has successfully bypassed traditional defenses.
Infocyte HUNT offers organizations a fast and cost-effective solution to triage alerts and combat threats, ensuring the security of your networks.
Download the Infocyte HUNT data sheet about SIEM alert validation to learn more.