In the hustle and bustle of our modern world, we can all get easily lost in the noise. One kind of noise is most frustrating for security teams: the noise of security incidents. With more and more data feeds into your security analytics products, it seems like we are creating more problems for ourselves with the all of the alerts and not enough manpower.
In fact, the most famous breach of all is a result of too much noise and not enough manpower. The 2013 Target data breach that is estimated to have a total cost of more than $202 million started with a security team that ignored a critical security alert and ended up compromising more than 60 million Target customers. The breach was right under their noses and they didn’t notice. Why? Because the alert was buried among thousands of other alerts and incidents, and the security team simply could not discern which ones to focus on. In fact, according to a study done by the Ponemon Institute and published by IBM, it takes an organization on average 9 months to detect and respond to a security breach.
UEBA Does Not Solve the Problem
This problem plagues many organizations large and small. An entire event management industry has been built to address the problem of how to address the sheer volume of security alerts: User and Entity Behavior Analytics (UEBA), which carefully identifies the important threats facing your organization across multiple data sources and monitoring systems. Despite UEBA, however, we find that alert fatigue is still a very serious problem as attackers get smarter and more data sources are available for analysis — causing more noise.
As the noise grows, it’s not just the false positives that wear down security teams; it is also the overwhelming number of alerts and the lack of security professionals to review them. Even the most sophisticated SOC team analyst has a limit on how many security incidents he or she can handle in one day. Information Security magazine published an article citing that most organizations can review up to 10 severe events per day and that the majority (92%) of organizations ges about 500 security events per day.
Incident Response Planning Is Difficult
Alternative solutions include incident management and response plans that have steps to prevent damages from service outage, data loss, or unauthorized access to critical systems or applications. However, these plans create many process challenges particularly for medium- and large-sized companies. In fact, KPMG listed the top 5 reasons why these programs fail for most organizations. TL;DR: response programs need resources, software to manage tickets, 3rd party vendors as consultants, skill sets such as security and analytics, training, education, budget and maintenance of the orchestration.
Sound complicated? It is: Organizations simply don’t have the ability to obtain and manage all these additional resources.
How to Reduce the Noise
The answer is right in front of you: crowdsourcing. Make your weakest link your strongest link. Employees should be part of the security incident process so they can help your SOC team with noise reduction.
How? Leverage them to auto-remediate security incidents by requiring them to approve or authentication any kind of risky activity that is associated with their account.
For example: If Stacy from marketing needs to access a sensitive HR application that contains sensitive PII data, rather than just alerting the SOC team on this activity, you can require that Stacy verify her identity and her access attempt with a strong, multi-factor authentication to ensure it is not an attacker impersonating Stacy and trying to steal sensitive data. Once verified, Stacy will be able to access her own PII data to make any changes, all while not burdening the SOC team with an additional alert to investigate.
With no viable solution that can adequately reduce the noise, not even with the promise of artificial intelligence, security becomes everyone’s job. We see many customers today who are leverage their own employees to help with noise reduction. Their employees are empowered to self-remediate incidents automatically, in a simple way, by verifying their identity when their network persona deviates from the expected behavior. The responses are then fed back into a central management system so organizations can always learn and adapt to the changes in employee behavior.
By empowering employees to reduce security incidents and staying dynamic with the changes in their organization, security teams review more of what really matters: the events that have the most potential to be real threats, and less of the noise.
To learn more about how Preempt’s Conditional Access solution can help empower your employees to auto-remediate security incidents, and how customers are using it for incident management and response, read what our customers have to say.
An earlier version of this post was previously published.