We're about to throw some numbers at you, but bear with us: We think you'll find this fascinating.
There are 86,400 seconds in a day. Compare that to the average daily noise create by security information and event management (SIEM) solutions – anywhere between 10,000 and 150,000 alerts – and what are you left with?
Well let's say you have 24/7 analyst-supported monitoring. In that case, the low end, 10,000 alerts, gives you about 8.6 seconds to respond to each alert, twice that amount if you have two security analysts staffed, which is still only a fraction of a minute. The high end, 150,000 alerts, means you have 0.5 seconds to investigate each alert. Assuming you have five security analysts staffed 24/7/365, that's still only 2.5 seconds per alert for forensics. Most people can't even tie their shoes that quickly.
This is to say, there literally aren't enough hours in a day to handle security alerts.
A tightrope of terror
It's fair to say that many organizations are walking a very fine line when it comes to security analysis. To reduce the number of false positives, analysts set up certain rules and configurations that will help scale back on noise. Of course, this a tough balancing act: If you're too withholding in your governance, you risk false negatives, i.e., threats that might have been detected with more rigid configurations.
Conversely, being overly precise may result in an unfavorable quantity of false positives. This risks dividing your security analysts' attention too thin as they triage innocuous alerts, which is problematic for several key reasons:
- Analyzing large amounts of false positives is not the best use of your resources, and there is in fact such as thing as security ROI.
- Haste makes waste, as they say; a rushed security analyst is a less effective security analyst.
- Alert fatigue induces an overly stressful work environment for analysts, and that expertise is difficult to replace should it jump ship for a business that supplies better threat detection and response resources.
In other words, there's much more at stake than just your overall security posture. There's the risk of money wasted chasing dead-end alerts, and there's the ever-present concern that you'll lose your analysts, which are easily your security operation center's most valuable resource.
One strategic misstep, and it's a long way down.
The automation X-factor: Context
Intelligent security automation can more deeply contextualize security alerts than your standard SIEM. Just because a certain network event appears to deviate from a configuration doesn't mean it's a true indicator of compromise (IOC). A security automation platform can determine this for itself because advanced correlation and machine learning allows it to develop a replete understanding of historically threatening and non-threatening behaviors.
As a result, that platform can automatically classify certain alerts as being the lowest priority. This facilitates the creation of a tiered ranking system by which analysts can determine how to most effectively utilize their time. Only the top-ranking alerts will be investigated in depth. The outcomes of those investigations are subsequently looped back into the security automation platform for future context. In this way, the platform quite literally learns.
So while the days certainly aren't getting any longer and cybercrime isn't getting any less prolific, we still have an edge over the black hats.
Let's use it.