July 7, 2021 Anthony Morris
While the numbers vary from study to study based on research methodology, organizational profile and differences in survey questions, there is nearly universal agreement that alert fatigue is a significant issue for most security teams. And the high volume of alerts consists largely of false positives. In fact, some security analysts report spending as much as 75% of their time investigating false positives, which aggravates the problem. Which leads to analyst burnout and a lot of time and money wasted while real threats get lost in the mix.
That’s why automation is so critical for any security operations team, and LogicHub’s MDR is no exception. We use our SOAR+ platform to make our analysts 20-30X more efficient by automating the alert triage and threat detection process to ensure that they’re spending the overwhelming majority of their time investigating and responding to real attacks.
What we mean by “Alert Fatigue”
But let’s back up a bit and start with what we actually mean by false positives, and why they’re such a problem. What we’re specifically talking about is when an overwhelming volume of alerts or repeated presentation of similar alerts desensitizes the people tasked with responding to them. That’s a problem because it ultimately ends up leading to missed or ignored alerts, or delayed responses, and the consequences can be devastating. Look no further than the Target breach, which was in no small part the end result of a 40,000/day alert volume.
The typical event funnel
Causes of “Alert Fatigue”
Alert fatigue isn’t just the result of tools generating false positives. It’s the end product of many variables, including user behavior, poorly defined policies and processes, and the failure to adequately integrate and configure the security stack to effectively analyze and aggregate data into accurate and manageable output. And there are many things that can contribute to alert fatigue, including:
Bottom line - all of these problems can be ascribed to a single common root cause - presenting the information to human analysts before it is ready for a human decision.
How LogicHub avoids or solves these issues in our own SOC
LogicHub’s SOC is no different from any other in the sense that we have a security stack generating a large number of events and alerts that our analysts have to get through on behalf of our customers. In fact, we allow our individual customers to bring their preferred tools to the table and we have to monitor and analyze alerts from all of them. In order to deliver detection and response services it’s critical for our SOC to leverage automation to allow them to operate with efficiency and the accuracy and speed that our customers demand.
So how do we do that?
What does that actually look like in practice?
The bottom line is that by storing events in the intermediary data store, LogicHub avoids efficiency problems caused when alerts have exceedingly low thresholds or trigger false positives. The ability of our platform, either within the initial detection or the subsequent triage, to automatically perform additional enrichment and verification of activity ensures that cases are verified and ready for review by the time they are created. By scoring the aggregation of alerts in the platform by the user and asset performed, we are able to prioritize cases by risk, allowing analysts to identify the threats of greatest concern first.
A sample attack scenario to show this in action:
In this scenario, the event became interesting when the collective of all user actions was aggregated into a single story. Traditional SIEM detection solutions might create 6 or more tickets for this one event. These events may or may not be worked by the same security analyst, and even if they do, it becomes difficult for the analyst to manually recall and join all the activities into a single story. This also assumes that they have the capacity to investigate the alerts because there were 12,000 other alerts for attachments, powershell, scheduled tasks, and suspect network communications that same day.
In contrast, LogicHub creates one case for the analysts and can support automated triage playbooks to notify the user, look for other related attack activity and perform remediation activities.
June 22, 2022 Willy Leichter
Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...
Learn MoreJune 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreJune 14, 2022 Tessa Mishoe
Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...
Learn MoreJune 8, 2022 Ryan Thomas
Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...
Learn MoreMay 31, 2022 Kumar Saurabh
As a security operations professional, you've put in your fair share of late nights. You know what...
Learn MoreMay 24, 2022 Ryan Thomas
Funny thing about cloud infrastructure - it is well documented that running applications in the...
Learn MoreMay 20, 2022 Willy Leichter
Demystifying the technology with case studies of AI security in action Many automation tools, such...
Learn MoreMay 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap