Alert Overload - How to Fix Threat Intelligence
Some people in today’s security community take the position that threat intelligence is broken - causing nearly as many problems as it solves. While this may be an extreme position, one thing is sure - today’s noisy threat intelligence does generate Alert Overload. Threat Intel platforms are literally victims of their own success. A quick Google and you’ll find pages of article sand posts about it. So if your SOC team is feeling burnt out, you’re not alone.
According to a 2019 article on the popular Security Boulevard blog, security leaders ranked Alert Overload as one of their top 3 SOC challenges - along with lack of automation and lack of integration. The article went on to cite a study carried out by Fidelis Cybersecurity in which 67% of CISOs, CIOs, and CTOs agreed that Alert Overload was one of the top issues facing their team.
Facing the Alert Cannon
Today’s high-performance threat intelligence systems generate a lot of alerts. That’s the sign they are working and detecting lots of threats. But because these alerts represent real-time attacks there is minimal time to analyze and triage them. That’s where the highly imagistic term “Alert Cannon” comes from. The barrage of alerts faced by your SOC team literally buries them in a stream of urgent alerts that no one has the time to evaluate. This increases the risk of false positives or compromise due to a mishandled alert. Facing the Alert Cannon every day can also create a demoralizing environment for your SOC team where they live in a constant state of emergency - which can lead to burnout and churn.
Throwing People at the Problem
What’s the most common response to alert overload? Typically, organizations hire more analysts or turn off noisy alerting features. The first response is expensive and the second one risky.But an article on the Help Net Security site explains that according to 2019 research by Critical Start, 38% of respondents chose one or both of those options.
The Answer - Curation and Automation
The answer to Alert Overload isn’t that your organization should adapt to it. The answer is that threat intelligence has to improve. Platforms have to offer more transparency and context to their alerts and add enough intelligence to provide some pre-analysis and curation. They also need to improve integration with security systems in order to facilitate enforcement automation. But given how conventional TIPs work, these two recommendations are not easy fixes.
Prediction is the Road to Prevention
But there is a solution. By radically switching the threat intelligence model from a reactive mode to a predictive and preventative model we can almost completely eliminate alert overload. With advances in artificial intelligence and machine learning, it’s now possible to model cybercriminal behavior and predict where future attacks will come from.Having that head start means threat intelligence can be curated into manageable and actionable reports with enough lead time for SOC teams to act on them. Even more to the point, if accuracy and false positives are low enough, then advance threat intel can be fed to firewalls, web proxies, and other endpoints to automated enforcement. Automating enforcement takes even more pressure off the SOC team.
But Does Predictive Intelligence Actually Work?
Since launching our Augur Predictive Threat Intelligence Platform 3 years ago, we’ve been crunching the numbers and the answer is yes it does when done correctly. On average Augur is able to predict the source of attacks 51 days ahead of any launch. Those predictions are 97% accurate and more importantly, they have an incredibly low false-positive rate of 0.01%. So Augur clients are warned early via highly-actionable, curated threat intelligence reports that eliminate alert overload. And, where clients chose to integrate Augur with their security endpoints, they can also dramatically streamline SOC workflow.
Adopting a predictive model of threat intelligence takes away the cybercriminals’ biggest advantage, surprise. By eliminating Alert Overload and allowing your SOC team to prepare for coming attacks you lower risk. And if your predictive system also has enforcement automation you can lower overall costs by streamlining threat hunting and response.