Reining in out-of-control security alerts

Enterprises unable to process the flood of alerts received each day from security systems have several options available to regain control and improve network defenses, experts say.

The average North American enterprise has to contend with 10,000 alerts a day, with the noisiest networks generating an overwhelming 150,000 alerts, according to a recent study by security vendor Damballa. The numbers come from an analysis of traffic from Internet service providers and enterprises.

[Best practices for network security management]

Software or appliances that fall under the product category of security information and event management (SIEM) generate most of the alerts triggered by anomalies detected in hardware and software on the corporate network.

To contend with the alert flood, enterprises have the option of moving to a different model for detecting malware or learning to make better use of the SIEM systems they have, experts said Wednesday.

Matthew Neeley, director of strategy initiatives for consulting firm SecureState, advises companies to do the latter to avoid the expense of ripping and replacing technology.

"I'm a bigger fan of having (clients) make good use of the technology they have," he said. "Once they are making good use of that, then look at whether there are other technologies that can be brought in to give them a better view."

In using SIEM systems, enterprises often place too much trust in the default settings, Jason Wood, principal consultant for Secure Ideas, said.

"Some organizations purchase a device with the hope that it will some how make sense of their environment and magically only tell them what they need to know," Wood said. "The problem is that the products can't do that automatically and need someone working with the system to make it useful."

Wood advises setting aside time each day to review security and log data, determine the data and events that are normal in the network and then configure the system to only alert on abnormalities.

"By training systems in the environment, we can get better automatic responses to events," Wood said. "We can focus on what's actually important and meaningful to the organization."

Neely is a fan of identifying where sensitive data is stored and then focusing monitors only on those systems to reduce noise.

"Additionally, we recommend companies take this a step further and move these critical systems into protected networks," he said. "These networks should have higher levels of protection and should also be where their monitoring is focused."

For companies ready for something other than traditional SIEM systems, Chris Morales, a research director at NSS Labs, recommends looking at technology that monitors outbound traffic, which produces fewer alerts.

SIEM systems will collect information from anti-virus software, firewalls, intrusion detection systems and other technologies focused on inbound traffic.

Vendors such as Damballa, FireEye, Lastline and General Dynamics Fidelis Cybersecurity Solutions apply intelligence to outbound traffic to spot possible malware in the network.

"I call the posture assumed breach," Morales said. "Instead of trying to stop breaches, I try to stop data loss."

In general, the technology checks the IP addresses where data is heading and compares them to a continuously updated blacklist of known addresses used by cybercriminals.

The technology can also analyze packets to determine whether they contain characteristics indicative of malware.

[Major companies, like Target, often fail to act on malware alerts]

Currently, these types of systems require a combination of hardware and management services provided by the vendor, Morales said.

As the technology matures, he expects more automation and less of a need for outside services.

"Right now, there's too much manual processing (of data)," Morales said.

Join the CSO newsletter!

Error: Please check your email address.

Tags General DynamicsapplicationsLastLineFireEyeDamballasoftwarenetwork security monitoringSecureStatedata protectionSIEMnetwork security analysis

More about FireEyeGeneral Dynamics

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts