Sergey Nivens - Fotolia

Manage Learn to apply best practices and optimize your operations.

Proactive risk management: Managing the deluge of alerts

In today's threat landscape, proactive risk management is needed to stay on top of a surge of network and security alerts.

Today's threat landscape is already expansive and continues to grow. In the workplace, end users not only have their work devices, but they bring in their own devices. Once you couple this with the emergence and adoption of Internet-connected devices, you get a massive attack surface for bad actors to exploit, and the need for proactive risk management. When you have so many ways into a company's network, the result is one of the biggest problems in network security: the deluge of alerts a company has to deal with on a daily basis, which can only be tackled through proactive risk management.

Indeed, according to a 2014 IDC survey conducted on behalf of Fire Eye, more than a third of U.S. companies said they received 50,000 alerts each month; 37% reported they dealt with more than 10,000 alerts per month.

Those numbers are staggering. Imagine, as a security specialist, having to deal with not only the alerts being generated, but your other duties as well. What's more, most security personnel have many responsibilities, which means they might not be able to react to security alerts as quickly as needed, leading to slower response times when critical breaches actually occur.

Not seeing or being able to respond to an alert in a timely manner can have dire consequences, if proactive risk management isn't a part of your network security strategy. Using the Target breach as an example, after more than 40 million credit card numbers were stolen, it took the Department of Justice to notify Target that the breach had taken place. When Target went back and looked, it realized alerts had been triggered days before the removal of the data by hackers actually took place.

Why do companies miss alerts like this?

Not seeing or being able to respond to an alert in a timely manner can have dire consequences, if proactive risk management isn't a part of your network security strategy.

How a company approaches proactive risk management and staffs its security organization is a core reason why companies miss alerts. There are many cases where security specialists are too overtaxed with other duties to respond to alerts in a timely manner. Research indicates that 75% of companies take up to five hours before they can respond to a critical alert; 60% take six to 12 hours before they can react to a moderate alert, and 30% take more than a day for low-level notifications. Couple that with the fact that more than half of those alerts are false positives and redundant alerts, and you have a massive amount of data to pour through.

Another part of the problem can be traced back to a company not trusting its security framework. If a company doesn't fully, or accurately, exploit all the features offered within its security application, then the product can't do its job. Why spend money on these products if you're not going to use them the way they were designed to be used?

What can you do about it?

There are some steps you can take to deal with the alerts you do get, and to reduce their amount to manageable levels. Options include hiring more staff or re-tasking existing staff to just handle alerts. After all, the quicker you can respond to critical alerts, the sooner you can get someone to analyze the threat and determine if they're valid. In cases of valid threats, remediation occurs earlier and a forensic analysis can determine the root cause.

You can also benefit by consolidating your security applications and systems. While having a wide range of vendor options is usually a good thing, in this case, using a single supplier is advantageous. That's because many security vendors have built ecosystems that offer a portfolio of analytics, alerts and management options. As a result, folding your security infrastructure into one package can be highly beneficial. FireEye, Palo Alto and Cisco are among vendors that offer highly rated products in this market.

If you don't want to completely replace your existing infrastructure, evaluate the deployment of a security information and event management (SIEM) application. These tools offer a holistic view of your security infrastructure and provide threat intelligence, real-time monitoring, application monitoring, behavior profiling, analytics and log management, and reporting. This all-in-one view of your security infrastructure offers some of the best ways to reduce your alerts. A SIEM product can also perform a lot of the analysis before your specialists even begin to review events. There will always be a place for the human element, but used correctly, some of these products can even stop an attack as it is taking place. SIEM vendors to consider include IBM and its Security QRadar, LogRhythm, Splunk, and Hewlett Packard Enterprise's Arcsight.

Another option is to outsource your security monitoring. Companies like AT&T and Alert Logic, among others, offer managed services and they will actively monitor your security for you. They manage alerts and the analysis of those alerts, and will notify you of any potential problems.

Finally, constantly review the configurations of your security tools and fine-tune them to reduce the number of alerts you receive. Decreasing the number of alerts you receive will save your company time and free up your specialists to focus on the valid threats and integrating a proactive risk management policy.

Next Steps

Techniques for proactive network security

Creating an enterprise risk management policy

This was last published in April 2016

Dig Deeper on Network Security Best Practices and Products