False Alarm or Real Threat? The Dangers of Alert Fatigue

Security-Alert.png

Drowning in Security Alerts

Many enterprises rely on security information and event management (SIEM) solutions to help detect suspicious activity on their networks. However, despite SIEM’s attempts to dedup, contextualize, and correlate thousands to millions of alerts daily, many organizations find themselves drowning in irrelevant and/or false positive data. The resulting 'alert fatigue' increases the likelihood that a real threat will be missed, wreaking havoc on your systems and reputation.

One of the relatively recent and high-profile cases of alert fatigu' was the Target breach in 2013, which resulted in 40 million stolen payment card records, and the loss of a CEO’s job. The malware was detected, thousands of alerts fired, were reportedly seen by SIEM monitoring personnel, but ignored due to millions of other alerts being received in the same timeframe. This visibility to, and fast focus on, what is a real threat is a challenge for all security teams – whether a small team with no SOC, a large enterprise with a SOC, or an MSSP that oversees many customers with a SOC.  

SIEMs and other security systems collect and aggregate data from a variety of sources including: Firewalls and Web Proxies, Intrusion Detection / Prevention Systems, IP/DNS Traffic Logs and PCAPs. SIEMs aggregate, dedup, correlate, and with more advanced systems, attempt to find the “needle in the haystack”. 

However, sophisticated attacks easily game defense systems, and false positives continue to waste the time of limited personnel. Average enterprise class organizations can receive 17,000 malware alerts per week. Of that, fewer than 20 percent are worthy of examination, and only 4 percent of valid threats are actually investigated.  

Why? Alerts often requires human oversight and validation to confirm legitimacy. Most organizations simply don't have the resources to recognize legitimate alerts, let alone examine them to determine root cause and infected machines quickly and cost-effectively.

Infocyte HUNT Provides Relief

What's needed to combat alert fatigue is a triage process to investigate alerts and determine which alerts can truly be ignored and which are actionable threats that need escalation. 

Infocyte HUNT provides an integrated endpoint interrogation solution to validate alerts by looking at the compromise state of endpoints. It provides ground truth – enabling security staff to vet alerts captured by your SIEM and prevent wasted time on innocuous alerts and/or false positives. Unlike SIEM alerts that are often correlated from two or more secondary or tertiary security product alerts that often lead to erroneous conclusions, Infocyte HUNT surveys endpoint using Forensic State Analysis (FSA) techniques to look for irrefutable evidence of malware that has successfully bypassed traditional defenses.

Infocyte HUNT offers organizations a fast and cost-effective solution to triage alerts and combat threats, ensuring the security of your networks.