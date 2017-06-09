False positives still cause threat alert fatigue

How you set up and prioritise which alerts to look at and act on is the basis for an effective threat management strategy.

It is commonly referred to as information overload. An infosec professional throws out a wide net in hopes of stopping malware before it gets too deep into the network, but like a motion-sensor light, sometimes the alert catches a squirrel instead of a burglar.

Rob Kerr, chief technology officer at Haystax Technology, cited the 2013 breach at Target, as an example in which thieves stole some 40 million Target credit cards by accessing data on point of sale (POS) systems. Target later revised that number to include theft of private data for 70 million customers.

"There were many missteps before the breach happened, but a big one was that Target missed internal alerts -- only finding out about the breach when they were contacted by the Department of Justice," he said.

Kerr said there were two different issues relating to the alert problem: While the attack was in progress, monitoring software (FireEye) alerted staff in Bangalore, India, who in turn notified Target staff in Minneapolis. No action was taken because these alerts were included with many other likely false alerts. Kerr recalls that it also appeared that at least some of the company's network infiltration alerting systems were turned off to reduce false positives.

A survey by FireEye polled C-level security executives at large enterprises worldwide and found that 37 percent of respondents receive more than 10,000 alerts each month. Of those alerts, 52 percent were false positives, and 64 percent were redundant alerts.

"This represents a huge burden on companies, as around 40 percent of them manually review each alert," Kerr said.

In most enterprises, various monitoring and detection solutions are constantly combing through network and user activity data looking for anomalies that may indicate a malicious event is taking place. Each time the system gets a hit, an alert is generated that typically requires a human analyst to either verify it is a bona-fide threat, or clear as not applicable or too minor.

The problem this creates is analyst overload, Kerr notes. "In other words, the system is unable to provide sufficient context up front to filter out the anomaly before it generates an alert, so it falls to the analyst to do that manually. This is a big problem because there are thousands of pieces of data on network logins, printer activity and building access logs. So there will be an alert when Bob -- who typically works 9 to 5 every day -- reenters the office at 7:30 one evening and prints a large file on a Sunday, accessing a file server that is normally off-limits to him."

The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day.

