In my experience, automated alerts are one of the most challenging, duplicitous factors in security. On the one hand, there is simply too much data for us humans to sift through, so having a system in place to analyze and correlate data automagically is hugely helpful. On the other hand, once the tool has analyzed data and spat out alerts, the security team (or security person) still bears the responsibility of interpreting and reacting to this data, which is fine…so long as the number of alerts is manageable.
But what do you do if the number of alerts is not manageable? What if we're not getting 20 alerts per day, but 200? What about 2,000? 20,000? Before you even attempt to contemplate how you would handle this conundrum you might think, “How is it possible for one company to generate that many alerts?” Well, let's look at the amount of data fed into a standard SIEM, and the staggering number of events tied to that data. It brings a little more clarity to the picture:
As we can see, for a roughly average size enterprise, peak activity hits just shy of 16,000 EPS. Of course, not every event correlates to an alert – not even close – but we at least can see that the number of alerts has the potential to be huge. To counteract this, the security industry has leaned heavily on rules that define when an alert will be triggered. The challenge, then, is in the way the security industry defines these rules.
Traditionally, security tools were designed to detect known attack vectors; an example is using a signature-based approach to define programs as “safe” or “unsafe”. If we think in terms of the above table of events, this rule-based approach means a security analyst might see security alerts related to the same incident coming from the proxy server, the VPN concentrator, the firewall, IPS, the database server, and the endpoint itself. That's a quick 6 alerts for the same event, but security analysts would have to look at each alert independently to know that, and meanwhile there are countless other alerts competing for attention at any given time. This is a root cause of alert fatigue, and it's paralyzing.
Bearing this in mind, incidents within UserInsight are designed to seamlessly pull together all the data related to an event. For example, if UserInsight detects several attempts to authenticate over the network from a single source asset (a common attacker's technique for moving laterally within a network), the alert will contain details about the data source, time of authentication, result of authentication, type of authentication, source asset, and target assets.
Clicking the link to one of these assets will bring us to the assets home page, where we can find information about recent source authentications, users associated with the authentications, and a map of where in the network authentications are coming from and where users jump to next. This helps security analysts quickly assess what users were authenticating to the assets in question around the time of this incident. This way, the security analyst can immediately understand the context of an incident and identify the different pieces involved to react and contain the incident quickly.
A traditional incident detection tool might have a few of these data points, but they would be separate alerts, leaving the security analyst to try to connect the dots. By correlating all this data, we're helping security analysts drastically reduce time to respond and contain security incidents.
Now, back to our initial question about alert fatigue. By nature, pulling all this data into a single incident will reduce the number of alerts. On top of that, incidents are easily adjustable so that they reflect the security goals of a specific organization. This includes adjusting alerting thresholds, customizing the environment by tagging restricted assets, keeping a close eye on risky employees by adding them to a Watchlist, building network zones, and more.
UserInsight is helping organizations around the world cut through network noise to identify and react to real threats in real time. For more information on how analytics helps security team, check out Why Flexible Analytics Solutions Can Help Your Incident Response Team