Recent surveys of analysts and security teams point to a common culprit behind the industry’s greatest challenges– alert fatigue.
Medical professionals have known for years that automated alert systems can have a contrary effect on safety and introduce risk when they normalize the state of being alert. In over-sensitive systems, alerts blend into the background noise causing doctors and nurses to ignore or overlook real medical emergencies. By the same dynamics, alert fatigue has become endemic to the world of network security operations.
● The average security team spends 70% of their time manually processing an inflow of more than 11,000 events and alerts per day.
● Only a quarter – 23.2% – of these 11,000 alerts contain real threats.
● This flood of alerts enters the system on an average of 6.8 different intelligence feeds, making integrated big picture assessments practically impossible.
In effect, security teams now spend more than half their time chasing their own tails, radically increasing the chance real threats go unnoticed. These numbers will likely only worsen in the immediate future. Owing to the emergence of ‘malware-as-a-service’ markets and powerful open-source frameworks, sophisticated attacks with the potential to cause real damage are now easier to execute and cheaper to acquire. Network defenders will find themselves pitting manual triage against increasingly automated processes. It’s an inherently rigged game that can’t be won by simply trying to play better and faster according to the same rules.
Decoding the White Noise of Alerts
According to the survey referenced above, a growing number of security teams – about one in three – already regularly ignore a sizable percent of the alerts they receive, and they accept the risk this introduces as operational costs. With attacks increasing both in number and sophistication, the stakes of this game will only go higher. Getting control will require changing the paradigm altogether.
Spyderbat’s Attack Tracing and Intercept (ATI) platform takes on this challenge and gives security teams a decisive force multiplier to eliminate alert static and focus the work of human users on credible threats.
Investigating threats involves manually establishing the causal connections between events recorded in logs across different systems and sometimes spanning months of time. Investigators must first triage alerts and then resolve them one at a time. In effect, they wander in a hedgerow maze. They don’t need to run faster– they need a ladder to climb up to an elevated perspective.
1. Universal Trace
Most intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions begin recording data only after suspicious activity trips a warning, leaving investigators an incomplete scattering of frames with which to reconstruct complex narratives. In contrast, Spyderbat maintains a universal trace of the totality of system calls for Linux environments.
2. Stream Processing
Spyderbat projects all trace data into a process stream that renders causal relationships immediately identifiable within the Spyderbat console. Instead of reporting each suspicious activity as an individual alert, Spyderbat ties suspicious activities together even if seperated by multiple benign activities, across systems, different users, or even long periods of time. The entire trace is continually scored as new causal activity occurs, providing a real understanding of true threats. False positives are easily recognized by individual activities with no causal outcomes, where true attacks have depth and include multiple suspicious activities. Security teams use Spyderbat to track events as they happen, dismissing the lion’s share of false positives.
Overhead Operational Awareness
ATI changes the game for alert fatigue, pulling your teams out of the maze of log tracing and giving them live visibility into all systems. To experience fully hoisted operational awareness, download Spyderbat’s free Attack Tracing and Intercept Community Edition.