BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Reining in out-of-control security alerts

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 15 May 2014 18:05:01 -0600
http://www.networkworld.com/news/2014/051514-reining-in-out-of-control-security-281619.html?source=nww_rss

Enterprises unable to process the flood of alerts received each day from
security systems have several options available to regain control and
improve network defenses, experts say.

The average North American enterprise has to contend with 10,000 alerts a
day, with the noisiest networks generating an overwhelming 150,000 alerts,
according to a recent study by security vendor Damballa. The numbers come
from an analysis of traffic from Internet service providers and enterprises.

Software or appliances that fall under the product category of security
information and event management (SIEM) generate most of the alerts
triggered by anomalies detected in hardware and software on the corporate
network.

To contend with the alert flood, enterprises have the option of moving to a
different model for detecting malware or learning to make better use of the
SIEM systems they have, experts said Wednesday.

Matthew Neeley, director of strategy initiatives for consulting firm
SecureState, advises companies to do the latter to avoid the expense of
ripping and replacing technology.

"I'm a bigger fan of having (clients) make good use of the technology they
have," he said. "Once they are making good use of that, then look at
whether there are other technologies that can be brought in to give them a
better view."

In using SIEM systems, enterprises often place too much trust in the
default settings, Jason Wood, principal consultant for Secure Ideas, said.

"Some organizations purchase a device with the hope that it will some how
make sense of their environment and magically only tell them what they need
to know," Wood said. "The problem is that the products can't do that
automatically and need someone working with the system to make it useful."

Wood advises setting aside time each day to review security and log data,
determine the data and events that are normal in the network and then
configure the system to only alert on abnormalities.

"By training systems in the environment, we can get better automatic
responses to events," Wood said. "We can focus on what's actually important
and meaningful to the organization."

Neely is a fan of identifying where sensitive data is stored and then
focusing monitors only on those systems to reduce noise.

"Additionally, we recommend companies take this a step further and move
these critical systems into protected networks," he said. "These networks
should have higher levels of protection and should also be where their
monitoring is focused."

For companies ready for something other than traditional SIEM systems,
Chris Morales, a research director at NSS Labs, recommends looking at
technology that monitors outbound traffic, which produces fewer alerts.

SIEM systems will collect information from anti-virus software, firewalls,
intrusion detection systems and other technologies focused on inbound
traffic.

Vendors such as Damballa, FireEye, Lastline and General Dynamics Fidelis
Cybersecurity Solutions apply intelligence to outbound traffic to spot
possible malware in the network.

"I call the posture assumed breach," Morales said. "Instead of trying to
stop breaches, I try to stop data loss."

In general, the technology checks the IP addresses where data is heading
and compares them to a continuously updated blacklist of known addresses
used by cybercriminals.

The technology can also analyze packets to determine whether they contain
characteristics indicative of malware.

Currently, these types of systems require a combination of hardware and
management services provided by the vendor, Morales said.

As the technology matures, he expects more automation and less of a need
for outside services.

"Right now, there's too much manual processing (of data)," Morales said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: