Story image

Cybersecurity – be prepared for alert fatigue and understand the context

13 Mar 18

Every week it seems like there’s another major cyber security breach. Last year, credit ratings agency Equifax lost 147.9 million customer records, including social security numbers and other identifiers when a web application wasn’t patched properly, giving hackers access to sensitive data.

Ride sharing company Uber was also subject to a breach in 2016, where hackers stole 57 million driver and customer records. Closer to home, the ‘Alf’ hack of a defence subcontractor saw commercially sensitive information stolen due to poor IT security, including the use of default passwords such as “guest” and “admin”.

While data breaches can often come down to difficulties with patch management processes, or the use of default user accounts and passwords, there are also other issues at play.

A lack of skilled IT personnel is a contributing factor. According to a Frost and Sullivan report – The 2017 Global Information Security Workforce Study – there will be a world-wide shortfall of 1.8 million information security professionals by 2022-3. In Australia, demand for cyber security related jobs is expected to grow by at least 21 per cent over the next five years.

In addition to the now well-recognised “cyber skills gap”, existing security teams are finding it difficult to keep up with the overwhelming amount of alerts they need to wade through to find the actual incidents they should be investigating to stop the next breach.

The result is something we are seeing more and more of in organisations across the region – alert fatigue. How do we reduce the strain on existing security teams – especially when that team is a single person wearing multiple hats – and at the same time make it easier to bring in new staff and build their skills and confidence?

One of the common mistakes we see many organisations make is to simply add a new security tool every time a new threat emerges. A new type of virus or ransomware leads to a new anti-virus solution. We now have next-generation firewalls and intrusion prevention systems as well.

These are all incremental tools added to the existing tools to combat a specific security challenge. The downside to adding new tools is that unless they are integrated and can provide an environment that works together, all they will do is simply create more alerts, which creates an even greater workload, and contributes even further to alert fatigue and potentially missed incidents.

Using integrated tools that provide a deeper level of visibility is one step an organisation can take to combat existing and emerging threats. But before investing in more tools, different parts of the organisation need to start talking to each other more. This means that IT needs to talk to the board and business owners about where their information crown jewels live, and what that valuable data is.

Part of this process is conducting a business risk assessment to figure out what is being protected, and, at a very core level, what the business exists for. This is almost an existential question, focused on what an organisation does, and why it does it. This process will also inform a crucial understanding of what would happen to the company if that valuable information was stolen or exposed in a breach.

For some businesses, that critical information will be customer and credit card data. For others it will be their “secret sauce”: intellectual property, competitor intelligence, or merger and acquisition plans. In the case of the ‘Alf’ hack, it was sensitive defence plans and information.

For Equifax, it was consumer credit information, while with Uber, the lost data was credit card and identity information. What’s valuable will vary from organisation to organisation, and understanding where that valuable information exists is essential to provide security staff with the business context they need to do their jobs well.

Once an organisation knows what that valuable information is, then an additional step to add context is understanding what systems that data lives on, where any dependencies are, and how they are connected, both internally and to the rest of the world. A server that works as the front end to an application might also have connections to another server containing valuable data, or it might contain valuable information itself.

When it becomes clear where information lives, it makes it easier for security staff to respond to an alert. Having centralised context data means that when an alert is raised, IT doesn't need to spend hours trawling through spreadsheets or other information sources in an attempt to understand what systems are involved.

By providing an understanding of the business, and putting the business context into an alert when a ticket is raised, the amount of time needed to investigate it is dramatically reduced – helping to reduce the aforementioned alert fatigue.

Because they have the full picture at hand, staff can then also determine whether an alert requires further investigation. This in turn cuts down on alert fatigue, and allows security departments and security personnel to maximise their time spent policing the electronic borders of the company against major threats rather than chasing down false alerts.

Alert fatigue is real. By providing context and business understanding, organisations can cut down on this fatigue, and gain an understanding of what they need to protect, in order to stay out of the news headlines and remain in business for today, and tomorrow.

Article by RSA advisory systems engineer, Chris Thomas.

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.