Security Alert Fatigue Making Life Tough for IT Pros
… fine-tuning what you have. That includes:
- Customizing your rules or change some settings. “There is constant management that has to be done with alert rules,” Mical said. “There may be an alert set up that says if you see someone communicate on Port 443, alert me to that. Now you have 20 other devices because new applications have been spun up that are firing a ton of alerts, so auditing your alert rule engine is important, especially if you have a legacy SIEM environment.”
- Tuning the network signatures in your intrusion detection system (IDS) to make them as tight as possible. “Having quick access to network metadata related to security alerts will also help analysts quickly identify false positives and not waste too much time investigating them,” said Andre Ludwig, chief product officer at Bricata.
- Dealing with configuration issues. “If you ensure that proper administrative configurations are enabled, you can minimize superfluous alerts,” said Armond Caglar, a principal at Cybeta, a business threat intelligence company. Ensuring proper access control is another important configuration issue; if the right people have access to the right alerts, the entire system will be more effective. “Network teams should be constantly improving, refining and updating processes tied to access and alert generation of their various technology sensors,” Caglar added. “This includes continuous adjustments made to each team member’s access, the topics assigned to them, and criticality protocol.”
Be careful how many point solutions you add. It might be tempting to add more tools to your legacy SIEM, but choose carefully or you will add complexity. Sometimes, the more data and products you apply to your SIEM, the less responsive it can become.
“Can your people handle all of those tools? Probably not,” Adams said. “So focus on the most effective, efficient and automated tools. It’s a real balance to be able to make it work for you. You need a basic set of tools and good set of telemetry, but you have to be able to handle that data in an effective way.”
Make sure your personnel and processes can handle the load, he added.
“We don’t bring on any more tooling that makes any more load for us. We look at tools that allow us to reduce the load on the human personnel.”
No matter which route you go, testing is critical. Make sure you are doing red team/blue team exercises to validate your rules. Also, do penetration testing to ensure that there is no way to circumvent them, Mical said.
- Page 1
- Page 2