The Problem of Security 'Alert Fatigue'
Stemming the flood of security warnings for admins.
- By Dan Kusnetzky
A recent survey conducted by the Cloud Security Alliance (CSA) and Skyhigh Networks pointed out that IT security professionals, facing a torrent of alerts, often ignore them. They just don't have the time to follow up on each and every alert and notice presented by their security monitoring tools. The phrase "alert fatigue" has been created to describe this issue.
The following bullets summarize a few of the key findings of the CSA survey:
Dan's Take: Can Machine Learning Lower the Noise Level?
- 40.4 percent of the respondents say that the alerts they receive lack actionable intelligence to investigate, and another 31.9 percent report that they ignore alerts because so many are false positives.
- IT security professionals report that their organization is using multiple tools that produce alerts. Fifty percent say that they're using 1-5 tools, 30.1 percent say that they're using 6-10 tools, 7.2 percent report that they're using 11-20 tools and 12.7 percent say that they're using more than 20 tools.
- The average enterprise represented in the study generates nearly 2.7 billion actions in cloud services per month (e.g., login, upload, comment), of which 2,542, on average, are anomalous. Of the 2,542 anomalous events, only 23.2 are actual threats, a ratio of nearly 110:1.
- When examined more closely, these 23.2 cloud-based threats can be broken down into the following categories: 10.9 are insider threats, like a user downloading sensitive data from SharePoint Online and taking it when they join a competitor; 3.3 are privileged user threats, such as an administrator provisioning excessive permissions to a user relative to their role; 6.2 are due to compromised accounts, like an unauthorized third party logging in to a corporate Office 365 account using stolen credentials; and 2.8 are data exfiltration events, such as malware on a corporate laptop that exfiltrates data from an on-premises SAP application via Twitter, 140 characters at a time.
When the results of the study are reviewed, it becomes quite clear that IT security professionals are simply overwhelmed by false positive "noise," often facing so much "noise" that the real meaning is lost. These IT folks are dealing with very complex on-premises, off-premises and hybrid computing environments that are made up of hundreds of services hosted on physical and virtual machines. Any one of them could be the source of real issues or false positives.
IT staff members simply don't have the time to examine each and every alert and delve into the details behind the events leading up to the creation of the notice or the alert. Some suppliers have seen this problem and have changed their product to make the display of these notices and alerts much more clear.
Why isn't anyone focusing on developing tools that are able to:
- Analyze the alerts coming from all of the security products installed in the enterprise
- Evaluate the underlying data contained in operational logs each of these products are scanning
- Applying predictive analysis and machine learning to this data, across operational logs
- Comparing the results to known issues
- Make actionable recommendations
Each of the suppliers operates with the ideal that their product or cloud service stands alone. What suppliers are acting as if they are part of the enterprise IT infrastructure? Very few.
Isn't it time we apply these Big Data tools and approaches to the problem of IT security?
Daniel Kusnetzky, a reformed software engineer and product manager, founded Kusnetzky Group LLC in 2006. He's literally written the book on virtualization and often comments on cloud computing, mobility and systems software. He has been a business unit manager at a hardware company and head of corporate marketing and strategy at a software company.