Alarming research reveals the stress and strains the average cybersecurity team experiences on a daily basis. As many as 70% of teams report feeling emotionally overwhelmed by security alerts. Those alerts come at such high volume, high velocity, and high intensity that they become an extreme source of stress. So extreme, in fact, that people’s home lives are negatively affected. Alert overload is bad for those who work in cybersecurity. But it’s even worse for everyone who depends on cybersecurity.
This is a gigantic issue in the industry, yet few people even acknowledge it, let alone deal with it. Cynet aims to correct that in this guide (download here), starting by shining a light on the cause of the problem and the full extent of its consequences and then offering a few ways lean security teams can pull their analysts out of the ocean of false positives and get them back to shore. It includes tips on how to reduce alerts using automation and shares guidance for organizations that are considering outsourcing their managed detection and response (MDR). The guide also shares how security teams can detangle the web of security tools necessary for automation.
Solving alert overload
Security teams of all sizes need to reduce the number of alerts they encounter and refine how they respond to alerts to take action before the damage starts. Below are tactics covered in the guide that security teams, especially lean ones, can use to reduce and respond to thousands of alerts.
1 — Consider outsourcing to MDR: Outsourcing managed detection and response (MDR) is a good option if you need to scale quickly and don’t have the resources. MDRs can help reduce stress and give your team time back. Another consideration is cost. You also will need to invest time in finding an MDR that’s right for your business. As the guide shows, outsourcing can absolutely be an asset. But it’s never a complete solution.
2 — Strategize reducing alerts: It starts with strategy. Look at your existing tech and make sure you’ve optimized their settings and your tools are calibrated. Ultimately, it’s not about reducing alerts so much as it’s about how you’ve set your team up to respond.
For example, find ways to expedite how you investigate alerts that you can’t eliminate or aggregate. One way is to correlate alarms with known activities, like when a planned patch installation disables security tools in bulk as the system recycles. Any other time, the security team would want to know that security tools are going offline, but there’s a simple explanation during patching. Calibrating tools to “quiet” alerts during known events or scheduled times will give the security team more time to focus on the actual emergencies.
3 — Introducing automated response: Even the leanest security teams can tackle threats if they use automation. Automation allows security teams to respond to alerts at scale quickly. But one of the biggest challenges with automation is knowing how to set it up in the first place properly.
One of the downsides of automated response we need to try to avoid, happens when an automated response, particularly the kind is driven by machine learning, blocks both malicious and legitimate traffic. These unpredictable instances can be annoying for the security team and for users throughout the organization. Problems can also be hard to undo if the actions taken by automation haven’t been carefully documented along the way. The guide suggests new ways to solve this problem as well.
4 — Use tools that facilitate automation: Setting up automation is not a ‘walk in the park’ because of the abundance of security and IT solutions that need to be integrated (for example, IPS, NDR, EPP, firewalls, DNS filtering, and more.). The key is to know how to put all of these tools in one place – and the guide suggests new ways to do just that.
This article has already been published on https://thehackernews.com/2022/02/guide-alert-overload-and-handling-for.html