Enterprises unable to process the flood of alerts received each day from security systems have several options available to regain control and improve network defenses, experts say.
The average North American enterprise has to contend with 10,000 alerts a day, with the noisiest networks generating an overwhelming 150,000 alerts, according to a recent study by security vendor Damballa. The numbers come from an analysis of traffic from Internet service providers and enterprises.
Software or appliances that fall under the product category of security information and event management (SIEM) generate most of the alerts triggered by anomalies detected in hardware and software on the corporate network.
To contend with the alert flood, enterprises have the option of moving to a different model for detecting malware or learning to make better use of the SIEM systems they have, experts said Wednesday.
Matthew Neeley, director of strategy initiatives for consulting firm SecureState, advises companies to do the latter to avoid the expense of ripping and replacing technology.
"I'm a bigger fan of having (clients) make good use of the technology they have," he said. "Once they are making good use of that, then look at whether there are other technologies that can be brought in to give them a better view."
In using SIEM systems, enterprises often place too much trust in the default settings, Jason Wood, principal consultant for Secure Ideas, said.
"Some organizations purchase a device with the hope that it will some how make sense of their environment and magically only tell them what they need to know," Wood said. "The problem is that the products can't do that automatically and need someone working with the system to make it useful."
Wood advises setting aside time each day to review security and log data, determine the data and events that are normal in the network and then configure the system to only alert on abnormalities.
"By training systems in the environment, we can get better automatic responses to events," Wood said. "We can focus on what's actually important and meaningful to the organization."
Neely is a fan of identifying where sensitive data is stored and then focusing monitors only on those systems to reduce noise.
"Additionally, we recommend companies take this a step further and move these critical systems into protected networks," he said. "These networks should have higher levels of protection and should also be where their monitoring is focused."
For companies ready for something other than traditional SIEM systems, Chris Morales, a research director at NSS Labs, recommends looking at technology that monitors outbound traffic, which produces fewer alerts.
SIEM systems will collect information from anti-virus software, firewalls, intrusion detection systems and other technologies focused on inbound traffic.
Vendors such as Damballa, FireEye, Lastline and General Dynamics Fidelis Cybersecurity Solutions apply intelligence to outbound traffic to spot possible malware in the network.
"I call the posture assumed breach," Morales said. "Instead of trying to stop breaches, I try to stop data loss."
In general, the technology checks the IP addresses where data is heading and compares them to a continuously updated blacklist of known addresses used by cybercriminals.
The technology can also analyze packets to determine whether they contain characteristics indicative of malware.
Currently, these types of systems require a combination of hardware and management services provided by the vendor, Morales said.
As the technology matures, he expects more automation and less of a need for outside services.
"Right now, there's too much manual processing (of data)," Morales said.
This story, "Reining in Out-of-Control Security Alerts" was originally published by CSO.