Incident detection and response can be represented by the old "good news, bad news, worse news, worst news" cliché. The good news is that cybersecurity professionals have at their disposal a greater variety of tools than ever before — threat intelligence platforms, EDR tools, network analytics tools, and other tools that are supposed to help keep their organizations more secure. The bad news is that every time one of these tools identifies anything that is suspicious, it will generate an alert. The worse news is that your staff is being inundated by a tsunami of alerts, making it impossible to keep up with the volume. The worst news is that the only choice your security analysts may have is to ignore a high percent of the alerts.
Not So Almighty
If you need a reminder of how quickly things can snowball when message volume exceeds one's ability to respond, cast your memory back to a 2003 film called "Bruce Almighty." In the film, Bruce Nolan — ably portrayed by Jim Carrey — is unhappy with the direction his career is taking, especially the underhanded antics of his rival for a promotion. Bruce meets with a series of misfortunes that push him over the edge; he decides that God is to blame and vents his anger. God responds by transferring some of his powers to Bruce so that he has a chance to see that being God is not a piece of cake.
Bruce is soon overwhelmed with so many prayer requests that he cannot deal with them all. Bruce creates a computer program to automatically respond to every prayer with a "Yes." Unfortunately, a positive response to every prayer causes chaos beyond anything Bruce could have predicted. When he is quickly inundated with far too many requests in the next wave of prayers, he unplugs the system to ignore the prayers.
Far too many security analysts are being placed in situations similar to what Bruce encountered. The volume of alerts is as overwhelming to the analysts as the volume of prayers was to Bruce. And analysts find themselves tagging many as "false positives" without any serious consideration, just like Bruce's "yeses" to all prayers. In an effort to keep up, some organizations are choosing automatic responses to all alerts, generating even more chaos. In many cases, however, a large number of alerts are simply being ignored. Frequently, analysts struggle valiantly to identify and prioritize the most critical alerts, crossing their fingers that they will not miss "the big one" that will devastate the organization. It is little wonder that cybersecurity analysts suffer from alert fatigue and job burnout. Fortunately, there are ways to save analysts from the trauma of being constantly barraged by alerts without compromising the security of the organization.
Avoid Bruce's Fate
Security orchestration allows an organization to harmonize actions across security products and automate processes that make sense — such as incident response — without taking humans out of the loop the way that they are removed with programed automatic responses. Too many organizations rely on manual actions for remediation, limited collaboration between IT and security, tedious processes, and outdated policies. Whether processes are machine-to-machine, machine-to-human, or human-to-human, intelligent automation increases productivity and often reduces the stress felt by security analysts, giving them back a sense of control.
Tools that incorporate machine learning allow the platform to get smarter with every incident, permitting additional automated processes and streamlining the workflow. Tools featuring machine learning are intended to provide comparisons and contextual enrichment so that real threats can be separated from the deafening noise generated by routine alerts. Analysts have a trail they can follow to help them identify incidents that indicate a true security issue.
Automation also facilitates threat hunting. A proactive approach to identifying adversaries who have already penetrated the organization's security defenses can allow threats to be identified, prevented, or mitigated before an alert is triggered.
Experienced CISOs know that it is not easy to triage, prioritize, investigate, and respond to security alerts. Unfortunately, the explosive growth in cyberattacks means that these tasks are only going to become even more difficult — and the shortage of qualified candidates with cybersecurity skills means that it will be impossible for organizations to solve the problem by just increasing staff levels. Besides, security analysts need immediate help to avoid being buried by the volume of alerts.
Until analysts get the help that they need, their organizations will be at increased risk. Alert storms make it easier for cybercriminals to circumvent the controls meant to keep them at bay, hide their attacks, and remain undetected while they conduct their nefarious business. It is time to stop extinguishing candles while ignoring the forest that is on fire. Just like Bruce Almighty found, when all the responsibility doesn’t rest on manual shoulders, there can be peace at the end.
For more cybersecurity content, subscribe to email updates from Demisto.