The SIEM That Cried Wolf

Find the one alert that matters

Imagine an alarm sounding every second, 24 hours a day, 7 days a week, all year long. That’s the reality IT security teams around the world face with their cyber security tools. Today’s cyber defenses generate a cacophony of security alerts, some of which might be useful, and most of which are not—and telling the difference isn’t always easy.

Learn More

For more than a decade, SIEM tools have been the mainstay of security operations teams. By aggregating and centralizing data from across a corporate IT enterprise, SIEM tools allow security teams to see everything—from audit compliance to lateral attacker movement—in a single pane of glass. In this sense, SIEM products do the job they were designed to do.

But with their emphasis on alert centralization, legacy SIEM tools have outgrown their usefulness. They’ve inundated security teams with alerts, and many teams receive more than 10,000 alerts per day [1]. To handle the volume, the majority of security teams deploy their security tools in monitor mode, rather than automatically blocking threats as they are detected.

Organizations must get a handle on the out-of-control volume of trivial alerts if they want to have any hope of providing truly effective security. They must invest in solutions that reduce false positives and instead, make a distinction between everyday malware and advanced, targeted attacks.

A [2014] first-of-its-kind study of more than 1,600 real-world security deployments across 63 countries and every major industry found that 97 percent of systems had been breached [2]. The tools used in these deployments generated a flow of alerts—tens of thousands per day in some cases—but those alerts couldn’t reveal which threats the tools were missing.

Global Percentage

One of the cruel ironies in cyber security is that as the number of alerts grows, so do the chances that truly critical alerts will fall through the cracks. Security teams view a new alert as a nuisance rather than a warning. So how do security teams decide which alerts warrant their attention? The answer isn’t as simple as it might seem.

Signature and reputation-based defenses fail to catch the majority of advanced attacks, and file-based sandbox technology does not correlate interrelated events. If a security team cannot detect these well-orchestrated attacks, they can’t filter out trivial alerts and they can’t consolidate multiple alerts stemming from a single threat.

Advanced Attacks

Today’s advanced attacks usually play out over multiple steps. They can also arrive in multiple flows: disparate pieces of code are downloaded from multiple IP addresses and as different file types. When all the pieces are in place, they combine to form a malicious executable file.

Many alerts fail to provide enough context to allow security teams to understand who the attacker is, how that attacker usually operates and what the attacker is after. Context about both the attack and the attacker is crucial. Without it, security teams don’t know which assets they need to fortify and they don’t know the full extent of a compromise.

The solution lies in a single, automated security operations platform that centralizes security data and infrastructure, integrating disparate security tools to deliver complete visibility across an environment into threats and vulnerabilities. This type of solution allows organizations to take control of incidents from alert to fix. It allows them to manage cases and investigative workflows, as well automatically triage responses to ongoing attacks.

At the end of the day, the measure of a security tool isn’t the volume of alerts it sends. Security analysts need validated, context-laden alerts that actively advance their security efforts, and organizations need solutions that work with their existing investments.

Pie Charts

According to the Ponemon Institute, 29 percent of malware alerts are investigated while 40 percent are considered false positive. On top of this, just over a third of all organizations judge their response rate as effective.[3]

  1. [1] John E. Dunn (May 14, 2014). Average US business fields 10,000 security alerts per day, Damballa analysis finds.
  2. [2] FireEye (May 2014). Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model.
  3. [3] Ponemon Institute (March 18, 2016). The State of Malware Detection and Prevention.

Download The SIEM That Cried Wolf white paper