If investigating and responding to threat alerts, including an onslaught of false positives, takes up a major portion of your day, you’re not alone.
Consider this, new research from Ponemon Institute found that cyber security professionals spend 25% of their time chasing false positives and respond to an estimated 4,000 security alerts each week. A study last month found that security operations center (SOC) professionals dealt with false positive rates of 50% or higher on a regular basis. Another recent Ponemon Institute study highlighted the visibility issue, reporting almost 70% of respondents viewed lack of visibility into network traffic as a top reason for Security Operations Center (SOC) ineffectiveness. The study also cited 65% of IT and security professionals are considering quitting due to IT burnout.
How dangerous is alert fatigue?
With the staggering number of alerts, along with a mountain of false positives to investigate, the risk of alert fatigue increases and critical alerts may easily slip through the cracks.
Alert fatigue was discussed as the potential cause of the 2013 Target security breach that resulted in the theft of credit card and private data for an estimated 70 million customers. Speculation focused on two issues, including the fact that no initial response was taken by Target IT most likely because the alerts were included with other ‘false’ alerts, as well as the possibility that alerting systems may have been off in order to reduce false positives.
With alerts taking, on average, ten minutes to investigate, how do you reduce false positive monitoring and alerting for your business? How do you quickly identify the critical issues that require your attention?
Working with thousands of customers worldwide, we are often asked how our monitoring capabilities can help IT teams fix only the things that need their immediate attention.
Great question. And when you consider that many of the companies we work with have multiple offices and remote workers, this is an issue that needs a new approach.
The Covalence difference
When we designed our Covalence threat detection and incident monitoring platform, we aligned this with modern cyber security practices and these ‘Cyber Situational Awareness’ pillars:
- Know your network
- Know the threats to your network
- Know what to do in response to those threats
We believe that understanding a network is the most important element in cyber security. This is not possible through the use of log data alone. In contrast to many monitoring services that depend solely on logs to monitor networks, our Covalence platform has its own high-resolution network, endpoint agent, and cloud-native monitoring sensors. While Covalence can also capture log data, such as information from Windows event logs, the data generated for analysis by Covalence sensors is purpose-built.
Covalence gathers important data, telemetry-like process information, and security events from desktop and server systems, and then applies machine learning and other proprietary algorithms with sophisticated analytics to identify suspicious network communications, compromised accounts, and other security threats in endpoint, network, and cloud systems.
A closer look at Covalence’s sensors
Covalence’s high-resolution sensors support the types of networks and monitoring required by distributed offices and a growing remote workforce, including multi-platform endpoints, full capture network monitoring, and cloud-native monitoring that is integrated with service providers like Microsoft, Amazon and Google. These sensors are built specifically for our Covalence service, designed to answer important questions about the layout, configuration and ‘normal behaviour’ of a network.
Threats and vulnerabilities are detected using data from these sensors through a combination of fully and partially automated analytics, aided by Field Effect Software experts, and continual threat hunting across all sensor domains. The threat hunting and alert triage process continually informs and improves the ongoing analytics, fine-tuning the automated alerts and mitigating alert fatigue. All of these capabilities are supported by Covalence’s dedicated and secure analytic network. Covalence endpoint agents communicate with the on-premise network sensors by default and via the cloud. The network sensors communicate with our secure analytic network.
Our sensors and proprietary technologies enable Covalence to more effectively identify SME threats and vulnerabilities and provide rich, easy-to-understand analysis that goes beyond simple log events. This powerful combination delivers a much deeper analysis, and at the same time, reduces false positives.
Actions required, recommendations, and observations (AROs)
Designed to simplify and contextualize the threat data it generates, Covalence not only improves the quality of alerts but reduces the volume through our AROs process – Actions Required, Recommendations, or Observations – for an extremely focused and informed level of monitoring, detection, and response.
This means, the output from Covalence is not a simple ‘alert’, it is an ARO with purpose and actionable remediation.
For example, a traditional security alert may read, “incomplete login session at 2:43 am on the 10.20.32.12.” In contrast, our Covalence solution would inform you that “there is a sustained brute-force attack by thousands of remote IPs against the Remote Desktop Service located on DESKTOP-PC10 (10.20.32.12). It is advisable to immediately firewall this system from the Internet, and implement a VPN-based solution for remote access. See below for specific recommendations.”
Our AROs are generated using automated analytics and other analysis technologies. Before Covalence sends AROs to customers, these are reviewed by our team of cybersecurity analysts. Additionally, our analysts are consistently improving upon the detection depth and actionable information provided in the AROs. This results in targeted analysis that enables IT to quickly understand and take the right action, as well as a significantly lower volume of “alerts” (AROs) in a given month.
Each ARO has context that is easy for even non-IT team members to understand, along with specific recommendations that can be implemented to improve the security health of your network.
What are Field Effect Software AROs?
Compromised accounts, compromised systems, or systems in imminent danger of being compromised are assigned a ‘required action.’
Important but non-urgent changes proposed for the network to avoid a potential security threat or issue.
Lower priority information about security-related events identified by our Field Effect Software experts and analysts or in order to clarify events that could have security implications.
Focus on the issues that matter
Through the intelligence of our Covalence platform and our AROs process, you can prioritize your day and focus on the issues that truly matter.
Do you have questions about monitoring and alerting? Or the best cyber security strategies for your specific business? We can help. Reach out to us today at firstname.lastname@example.org.
- 25 Percent of InfoSec Professionals’ Time Wasted on False Positives
- SOCs still overwhelmed by alert overload, struggle with false-positives
- False positives still cause threat alert fatigue
- Suffering SOC Saga Continues
- SOC Stress: The Security Threat That Nobody is Talking About