Cybersecurity – be prepared for alert fatigue and understand the context
FYI, this story is more than a year old
Every week it seems like there’s another major cyber security breach. Last year, credit ratings agency Equifax lost 147.9 million customer records, including social security numbers and other identifiers when a web application wasn’t patched properly, giving hackers access to sensitive data.
Ride sharing company Uber was also subject to a breach in 2016, where hackers stole 57 million driver and customer records. Closer to home, the ‘Alf’ hack of a defence subcontractor saw commercially sensitive information stolen due to poor IT security, including the use of default passwords such as “guest” and “admin”.
While data breaches can often come down to difficulties with patch management processes, or the use of default user accounts and passwords, there are also other issues at play.
A lack of skilled IT personnel is a contributing factor. According to a Frost and Sullivan report – The 2017 Global Information Security Workforce Study – there will be a world-wide shortfall of 1.8 million information security professionals by 2022-3. In Australia, demand for cyber security related jobs is expected to grow by at least 21 per cent over the next five years.
In addition to the now well-recognised “cyber skills gap”, existing security teams are finding it difficult to keep up with the overwhelming amount of alerts they need to wade through to find the actual incidents they should be investigating to stop the next breach.
The result is something we are seeing more and more of in organisations across the region – alert fatigue. How do we reduce the strain on existing security teams – especially when that team is a single person wearing multiple hats – and at the same time make it easier to bring in new staff and build their skills and confidence?
One of the common mistakes we see many organisations make is to simply add a new security tool every time a new threat emerges. A new type of virus or ransomware leads to a new anti-virus solution. We now have next-generation firewalls and intrusion prevention systems as well.
These are all incremental tools added to the existing tools to combat a specific security challenge. The downside to adding new tools is that unless they are integrated and can provide an environment that works together, all they will do is simply create more alerts, which creates an even greater workload, and contributes even further to alert fatigue and potentially missed incidents.
Using integrated tools that provide a deeper level of visibility is one step an organisation can take to combat existing and emerging threats. But before investing in more tools, different parts of the organisation need to start talking to each other more. This means that IT needs to talk to the board and business owners about where their information crown jewels live, and what that valuable data is.
Part of this process is conducting a business risk assessment to figure out what is being protected, and, at a very core level, what the business exists for. This is almost an existential question, focused on what an organisation does, and why it does it. This process will also inform a crucial understanding of what would happen to the company if that valuable information was stolen or exposed in a breach.
For some businesses, that critical information will be customer and credit card data. For others it will be their “secret sauce”: intellectual property, competitor intelligence, or merger and acquisition plans. In the case of the ‘Alf’ hack, it was sensitive defence plans and information.
For Equifax, it was consumer credit information, while with Uber, the lost data was credit card and identity information. What’s valuable will vary from organisation to organisation, and understanding where that valuable information exists is essential to provide security staff with the business context they need to do their jobs well.
Once an organisation knows what that valuable information is, then an additional step to add context is understanding what systems that data lives on, where any dependencies are, and how they are connected, both internally and to the rest of the world. A server that works as the front end to an application might also have connections to another server containing valuable data, or it might contain valuable information itself.
When it becomes clear where information lives, it makes it easier for security staff to respond to an alert. Having centralised context data means that when an alert is raised, IT doesn't need to spend hours trawling through spreadsheets or other information sources in an attempt to understand what systems are involved.
By providing an understanding of the business, and putting the business context into an alert when a ticket is raised, the amount of time needed to investigate it is dramatically reduced – helping to reduce the aforementioned alert fatigue.
Because they have the full picture at hand, staff can then also determine whether an alert requires further investigation. This in turn cuts down on alert fatigue, and allows security departments and security personnel to maximise their time spent policing the electronic borders of the company against major threats rather than chasing down false alerts.
Alert fatigue is real. By providing context and business understanding, organisations can cut down on this fatigue, and gain an understanding of what they need to protect, in order to stay out of the news headlines and remain in business for today, and tomorrow.
Article by RSA advisory systems engineer, Chris Thomas.