Cyber Alert Overload: 3 Steps to Regaining Control
Industry’s response to the proliferation of cyber attacks is a growing array of technologies and services designed to address them. Network owners add these products as new attack vectors emerge. One result: A growing cybersecurity stack with overlapping tools that produce so many alerts it is difficult for analysts to sift the signal from the noise.
“The administrator becomes numb to the alerts,” said Curtis Dukes, executive vice president of the Center for Internet Security (CIS) and the National Security Agency’s former director of information assurance. That means significant threats can go unaddressed.
“It’s an old problem that has been dealt with periodically and that comes back again,” said John Pescatore, director of emerging security trends at the SANS Institute who previously designed secure communications systems for the NSA and the Secret Service.
Standardizing technology and processes, prioritizing risks and automating processes are each critical to developing the right solution for an organization.
“It’s well known that most Enterprises use only 15 percent to 20 percent of the technical capability already available within their toolsets,” said Chris Barnett, chief technology officer in General Dynamics Information Technology’s (GDIT) Intelligence Solutions Division. “It takes both time and expertise to implement the more advanced capabilities found in many of today’s tools. Standardizing tools across the enterprise gives security engineers the opportunity to leverage those sophisticated capabilities and provides opportunities for process automation and event correlation.”
The problem is less false positives than repeat offenders. Multiple products can flag alerts for the same threat or incident.
Security Information and Event Management (SIEM) tools were created in the 1990s in response to information and alerts being generated by perimeter security products such as antivirus and firewalls. This helped reduce the alert volume to a dull roar, Pescatore said. But products eventually fall behind the flood of alerts produced by new security tools, and administrators are again facing alert overload.
The increasing complexity of the Defense Department’s cybersecurity toolset “is driving inefficiencies,” Col. Brian Lytell, the Defense Information Systems Agency’s (DISA) deputy director of cyber development, said in December. “I’m going to have to eliminate some things within the architecture itself to try to simplify it and reduce it down.”
DISA has been evaluating each component in its security stack to determine which it will keep and which it will phase out. The agency’s problem is not unique: IT security stacks tend to grow ad hoc, so periodically modernizing and streamlining to create a more coherent cybersecurity environment is a good idea. But unwinding a complex security solution is time-consuming and complicated. Few enterprises can match the kind of enterprise-wide reach DISA possesses, and even DISA does not control all DOD IT systems.
Chriss Knisley, executive vice president at the security analytics company Haystax Technologies, said a study for one customer found that its systems generated 35,000 alerts over a three-month period, about 390 per day. The 2016 State of Monitoring survey by Big Panda found that only 17 percent of organizations receiving 100 or more alerts a day were able to address all of them within 24 hours.
Fortunately it is not necessary to address every alert. Many alerts are duplicates resulting from the same incident or activity. Of those that remain, some are low risk and can be assigned a lower priority in an effective risk management program.
SIEM tools provide a significant capability for data collection, correlation and risk management, GDIT’s Barnett said. “We’ve built applications using existing SIEM tools to automate, track and report performance-based metrics and dashboards to support risk-based prioritization,” he explained. “We’ve even been able to include logic that automatically changes colors based upon thresholds and service level agreements. Leveraging existing tools this way builds a strategic, scalable capability within the customer space that enables the agency to leverage its existing tool investments to replace timeconsuming, manual methods.”
There are several other practical steps for addressing alert overload and improving overall security.“My advice to DISA is to standardize on consensus-based security benchmarks,” Dukes said. “That would go a long way.” This can help prioritize threats and alerts, automate analysis and response, and reduce the burden on personnel.
Pescatore and Dukes and Barnett outline three essential steps to address alert overload:
The bible for federal cybersecurity is the National Institute of Standards and Technology’s (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. It contains a 233-page catalog of security controls that agencies can use. But not every agency will need every control; each agency is responsible for selecting the controls that meet its needs.
To jumpstart this task, the NSA in 2008 commissioned a list of controls that would help the DOD address “known bads” – the most pervasive and dangerous threats. The result was the 20 Critical Security Controls, developed through a consensus of industry and government experts and maintained by CIS.
This list is not a complete cybersecurity program; it reflects the 80/20 principle that a small number of actions – if they are the right actions – can address a large percentage of threats. “Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent,” according to CIS. “Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.” Using a standardized set of controls makes it easier for security teams to focus on alerts that represent the most serious threats.
Standards-based security tools make it easier to implement third-party analytics and automation solutions. The Security Content Automation Protocol (SCAP), developed by NIST, standardizes how security information is generated, allowing automated management of alerts. When security content is standardized, redundant alerts from multiple products can be eliminated, reducing the number of alerts.
The total number of alerts and threats you address is less important than their seriousness. “You don’t have to fix everything, but you should do the business-critical things first,” Pescatore said. “Focus on the mission, not the nuisances.”
Prioritization is a force-multiplier, enabling limited manpower to focus on the things that pose the greatest threat to operations. To ensure that you are using the right controls and getting the right alerts, you need to understand your enterprise and its mission. This requires full discovery of the network and attached systems and collaboration with lines-of-business officials. These officials can identify the agency crown jewels in terms of processes and data so that alerts are aligned with high-value and high-impact resources.
When you know what is important, you can configure and tune the tools in your security stack to provide the information you need. You don’t have to ignore lower-priority events, but these can be dealt with on a different schedule or assigned for automated response.
Automation is not a silver-bullet. Letting tools automatically respond to security and threat alerts “almost never works” because of the complexity of IT systems, Pescatore said. Security fixes, patches and configurations often must be tested before they are applied. Intrusion Prevention Systems can automatically block suspect activity, but this is impractical in critical environments where false positives cannot be tolerated. IPSs often are used to alert rather than respond, creating another source of alerts.
But automated tools can be effective for sorting and evaluating alerts, eliminating duplicate information and identifying the most serious threats. SIEM tools are helpful here, but they work with proprietary products and protocols, Dukes said. They work through product APIs, and in a multi-vendor environment the number of SIEMs can multiply, adding complexity.
This is where SCAP comes in. Federal agencies are required to use SCAP-compliant security products when they available. By creating an environment in which security information is standardized for automation, administrators can come closer to the “single pane of glass” that gives full visibility into the status of and activity on the network and reducing the number of alerts.
Each of these activities supports the other two. Together they can reduce and sort through the growing volume of alerts being generated in an increasingly complex threat and security environment. The necessary humans in the loop are better informed so that they can focus on the most important tasks. “If I can do that, I’m ahead of the game,” Pescatore said. “I’m winning the battle.”