Although it was written more than 2,000 years ago, Aesop’s fable of the boy who cried wolf serves as a cautionary tale for the modern information security professional. When security alerts become too frequent, people will eventually stop paying attention. Ultimately, that creates an opening for cyber wolves.
Modern threat protection solutions generate overwhelming numbers of security alerts. IDC researchers say enterprise security systems can generate more than 10,000 alerts per month, with more than half of them false alarms. Nearly three-quarters of Chief Information Security Officers (CISOs) say this is creating “alert fatigue” which leads their teams to wait weeks or months to investigate triggered alerts — if they decide to investigate at all.
This creates a dangerous dilemma for IT managers. Although they are responsible for identifying and mitigating threats, they run the risk of desensitizing everyone if they treat every alert as a legitimate threat. Yet, if they fail to sound the alarm it could result in catastrophe.
In many cases, a managed security service provider (MSSP) can help provide some balance. Here are a few ways in which MSSPs can help IT managers improve their security posture, reduce the in-house security workload and limit the negative effects of alert fatigue.
Managed SIEM. Security information and event management (SIEM) solutions uses rules-based programming to identify suspicious activity or security events but they can be difficult to configure and manage. With managed SIEM, a provider with specific expertise in these tools can design and deploy a hosted solution. Most important, an experienced MSSP can dramatically reduce false positives by configuring the software to ignore certain types of alerts. When alerts are generated, the MSSP will closely examine the underlying data to determine if it is a true security incident or simply a rules configuration anomaly.
Managed Firewall. Organizations commonly use firewalls to block malicious traffic but they require ongoing configuration and adjustment. An MSSP reduces the burden by providing updates, tuning and around-the-clock monitoring by experts with specific expertise in firewall configuration and policy development. The provider will review and analyze logs and events and provide regular reports about firewall performance, active users and traffic patterns. Any potentially threatening trends will generate immediate alerts.
Patch Management. Best-in-class MSSPs provide proactive patch management services that can prevent attacks against known vulnerabilities and ensure that systems are better protected. It has been estimated that a well-executed patch management strategy can mitigate up to 90 percent off all security issues. Remote monitoring can also identify which versions of what software is installed. An accurate inventory further streamlines patch management by helping you identify which patches need to be installed.
Managed IDS / IPS. Improperly tuned intrusion detection systems (IDS) and intrusion prevention systems (IPS) often misinterpret normal network activity and produce false alarms. An MSSP will have expertise in various detection techniques that can reduce false alarms. For example, the provider might employ a combination of signature-based, protocol-based and anomaly-based detection techniques to fine-tune the IDS / IPS solution. Additionally, a provider will offer ongoing monitoring and management.
Although organizations can take advantage of a growing array of sophisticated security tools, an overabundance of alerts can actually hinder security efforts. Contact Verteks to discuss how our managed security services can help keep the wolves at bay.