The majority of security organizations received more alerts than they can handle and don't have a way to spot stolen credentials, according to a survey released today.
According to the report, 62 percent of organizations get too many alerts, and that's just from SIEM systems.
The majority of respondents, or 54 percent, said their teams were only able to investigate 10 or fewer alerts per day, partly due to how long these investigations take.
"A lot of incident-handling workflows were developed long ago, and were not updated over time or are not designed to scale as more alerting tools have been introduced into the ecosystem," said Matt Hathaway, senior manager of platform development at Rapid7, the sponsor of the report. "They get new systems that alert in addition to existing systems, and without being able to scale the team quickly, it becomes unmanageable."
Meanwhile, 90 percent of respondents said that they are worried about attacks using compromised credentials, while 60 percent said that they cannot detect these kinds of attacks.
For over a decade now, intrusion detection has been focused on malware, said Hathaway. "For so long, that was the primary method of attack," he said.
But attackers have shifted their strategies and are now using stolen credentials at some stages of the attack.
"And detection has not, on a broad basis, caught up," he said.
One solution is to use user behavior analytics to spot credentials that are being used in unusual ways, a possible sign that they have been compromised.
Of the 40 percent of respondents who said they can detect attacks that use compromised credentials, 27 percent said that they have user behavior analytics in place.
"The rest believe that they are successful detecting it by other means," Hathaway said.
Finally, only 21 percent of respondents said that they are monitoring the use of cloud services with their SIEM, and only 33 percent said that they have security visibility into cloud services.
Meanwhile, 79 percent of the respondents said that their companies use cloud services, with 60 percent saying that only approved cloud services are allowed.
However, this does not necessarily reflect the actual usage of cloud services at these companies, since data from the Cloud Security Alliance shows that companies typically underestimate their use of cloud services by a factor of eight.
According to the report, security teams have a challenge in keeping track of cloud services used by employees and managing the security credentials -- and also in keeping track of logins and being able to respond appropriately.
For example, if an employee signs into the corporate network from their desk, and a few minutes later signs into, say, the Office 365 cloud services from a computer in Asia, that could be a sign of a compromised account.
"This is something that, as a company, we hear a lot about from our user base," said Hathaway. "People generally don't understand what risk is being introduced by specific individuals in the company using cloud services that aren't company managed."
This story, "Security pros worried about stolen credentials, alert volumes " was originally published by CSO.