Reducing Incident Management Noise With Your Own Employees

Posted by Eran Cohen on Feb 17, 2017 11:21:58 AM
Find me on:

Noise. Noise. Noise. Our world is noisy. It's all over the place. Visual noise, physical noise. And then there is the noise which bothers analysts in the security industry. I am referring to the security signal to noise ratio that is only growing and growing because of the evolving techniques, various data sources and the unknown threats that we all want to catch (or is it afraid to miss?). In fact, the elephant has left the room and is now visible to all.

focused-noise.jpgThe problem is so strong that it was even named as the root cause of the Target breach where the security team ignored the alert that was meaningful.  It was there. Buried between many thousands of other alerts and incidents that masked the ones that were important.

Analysts have discussed this challenge in their reports, customers are trying to figure out what to do about it, and an entire event management industry was built on top of this growing amount of security events (aka Alerts) trying to answer the problem. Then, User and Entity Behavior Analytics (UEBA) was born trying to more carefully spot the threats across multiple data sources and monitoring systems.  Still we learn from analysts such as Gartner and Forrester that alert fatigue remains a concern due to the fact that threats continue to evolve, patterns are changing, more and more data sources are being added and deeper behavioral models need to be built.

As a result, the noise problem continues to grow. It's not only the false positives, the count of alerts and incidents in general is overwhelming that most advanced incident triage program and tools have struggled to address this problem. There are limits to the amount of incidents someone can handle in a day even if he/she is the most sophisticated person on earth. Information Security magazine published an article citing that most organizations can review up to 10 severe events per day and that majority (92%) of organizations gets about 500 security events per day.

So, what about incident management and response plans? They bring many process challenges particularly for companies medium sized or larger. Recently KPMG listed the top 5 reasons why these programs fails.  Let me TL/DR this report for you: Response programs need resources, software to manage tickets, 3rd party vendors as consultants, skill sets such as security and analytics, training, education, budget and maintenance of the orchestration. Organizations simply don’t have the ability to add all of these additional resources.

So what do we do with this problem? How can we reduce the noise? Is there a silver bullet?

For me the answer is pretty easy! Its crowdsourcing. Making employees part of the process can proactively help with reducing noise.

We are seeing it today with our customers. They are using their employees to self remediate incidents automatically, in a simple way, by verifying their identity when their network persona deviates from the expected behavior. Their responses are then fed back into the system so it can continue to learn what is right and what is wrong. By doing this it helps security teams review more of what really matters, the events that have the most potential to be real incidents, and less noise. Combining real deterministic evidence with additional data sources and machine learning, rather than relying just on 3rd hand evidence, allows them to automate reduction of alerts, accelerate incident response and prioritize event triage.

To learn more about the Preempt Behavioral Firewall and how customers are using it for incident management and beyond, read our Top Customer Use Cases paper.

Topics: Security Skills, ueba, Incident Response