Cover Feature Cyber Security
Reinventing the SOC: Solutions for improving security and curing the alert-fatigue epidemic
C By Lionel Snell, Editor, NetEvents
Listen to our interview with Greg Fitzgerald!
all it alert fatigue. Call it information overload. Call it mind-killing and soul-destroying. The sheer number of alerts coming into a modern security operations center (SOC) can overwhelm even the most dedicated security analysts. Alerts pour in from many dashboards and security information and event management (SEIM) platforms, with some focused on the network, others on endpoints, some on the firewall and outside-facing servers, and others on critical infrastructure. And with the vast majority of alerts being (fortunately) false alarms, it can be easy to overlook the real warning signs… which may be subtle indications of malicious reconnaissance or an actual breach. As SC Magazine’s Greg Masters writes in “Crying wolf: Combatting cybersecurity alert fatigue,” nearly three-quarters of security teams stated they were overwhelmed by the volume of vulnerability maintenance work assigned to them. When security teams were queried about contending with threat alerts, 79% said they were overwhelmed by the volume. And according to Ryan Francis in “False positives still cause threat alert fatigue,” published in CSO, “The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are
26 | Australian Cyber Security Magazine
remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day.” What can you do? What must you do? Reinvent the SOC. Business as usual simply can’t cut it. Fortunately, there are companies working on this very challenge. Cylance pioneered the application of artificial intelligence (AI), algorithmic science, and machine learning to prevent the most sophisticated security threats. Demisto’s security operations platform combines security orchestration and incident management with machine learning from analyst activities, and interactive investigation. JASK too applies enhanced AI and machine learning to automate the correlation and analysis of threat alerts. Other companies like CA Technologies have specialist departments addressing these issues. CA’s SVP Central Software Group, Dr Vinod Peris, points out that data has typically been something to look back on with hindsight: “What we are doing with AI is to be more predictive. We're looking not just at what you've missed as red flags, but alerting you that you're likely to miss”. In the case of card payment security, they use behavioural analytics to assess the gap between the transaction and expected behaviour and warn the bank.
People first Neither Demisto nor JASK make alert fatigue their starting