Well, as political conflict still continues in the Ukraine, the number of news headlines coming out about possible, huge Cyberattacks coming out against the United States is also growing in large numbers. But to the best of my knowledge, nothing has happened yet, and if it has, it has been in the usual amounts like last year. But that does not mean to say that something big won’t happen, and we have to keep our guard up.
We should never fall into the thinking that because it has never happened to me that it never will. Unfortunately, that is still the line of thinking that most businesses take today, which is just putting themselves at far greater risk versus those that are trying to be proactive.
Despite all of the latest tools and gadgets that we have out there, we are still dependent upon the human element, which is essentially the IT Security teams in Corporate America. As of now, they are totally taxed and overburdened, and believe it or not, it is not from fighting off the threat variants.
Rather, it is from all of the alerts and warnings that they have to filter through, which at the end of the day, a bulk of them are simply false positives.
Because of this, the real warnings and alerts often get overlooked, and these are the ones that need to be paid attention to. Just trying to keep up with all of this has become now infamously known as “Alert Fatigue”, and it is something that is only going to get worse.
But there are ways of controlling and leveling off the sheer amount of warnings and alerts that do come through. Here are some tips that perhaps you could use for your business:
1) Turn off those systems:
While in theory every alert and warning merits attention, this is simply not the case. Therefore, you and your IT Security team should carefully conduct an audit of those systems (such as firewalls, network intrusion devices, routers, etc.) in an effort to determine which one of those is producing the highest number of false positives. Once you have determined where the spikes are, then simply turn off those devices for a brief period of time. Or, as an alternative, you can also set up special filters and rules to reduce the total amount of false positives that are coming through from them.
2) Establish a prioritization scheme:
If the first step has been successful, then you should be receiving a lesser amount of false positives. Now, a bulk of them coming in should be the real ones. Now, the question often gets asked is bluntly: What to do next? Well, the knee jerk reaction would be to act on it immediately. But unfortunately, that is not the case, as there will be many other alerts and warnings that will need your full attention as well. So in this case, you need to set up some sort of triaging system that will let you prioritize which of those alerts and warnings need immediate attention. For example, those messages that relate to your mission critical operations should get the first and most immediate attention. But if you think about it, this is also a function of the Risk Assessment that you should have done prior to this. Although the primary objective of this is to determine what controls need to go where, this is your opportunity to also determine where your most vulnerable digital assets lie at. This is in turn, can then be used to set up your prioritization system for the real warnings and alarms that are coming through.
3) Take a layered approach:
Today, many businesses are getting rid of what is known as “Perimeter Security”. This simply means that there is a huge circle of defense encircling the business, protecting you from the external threats. But what about the internal based ones? This can pose a huge problem with this kind of thinking. As a result, many entities are now adopting what is known as the “Zero Trust Framework”, and this is where nobody is trusted whatsoever. Your IT and Network Infrastructures are broken down into smaller segments, and each of them has their own layers of authentication that an end user must go through before they can be granted access to the shared resources. You can also use this same line of thinking in order to help triage those real one warnings. For example, along with the prioritization scheme, you should also include some sort of labeling structure as well, to help your IT Security team keep better track of things. A possible one could look something like this:
*Impacts coming from the Physical Layer: This would include main access points, doors, and even other sensitive areas in your business where direct contact is required.
*Impacts coming from Technical Controls: This would include primarily all of your network security devices.
*Impacts coming from Administrative Controls: This would include any employee misuse, whether it is intentional or not.
4) Make use of modern stuff:
By this, I mean use the latest and greatest and like AI and ML. These tools have been designed to help you specifically with task automation, especially when it comes to filtering out for the false positives. Initially, they will take some time to get set up, because you have to train them from past attack signature profiles, so that they can be on the lookout. Also, you will need to keep them constantly fed with data, so that they can keep learning as to what a false positive really is. But equally important is this is that your IT Security team needs to be able to see everything from a single, or holistic point of view. This is where a SIEM can come into play. Although setting up an ML or AI system may sound complicated and expensive, the truth of the matter is that they are not. For example, Microsoft Azure has a great set of tools to create this, and even has a great SIEM as well than you can literally just deploy right out of the box.
My Thoughts On This:
In the end, just don’t simply rely upon technology to solve your Alert Fatigue problems. It’s going to take the human element as well. Keep in mind that there will always be a good amount of alerts and warnings that your IT Security team will have to filter through, the goal here is to reduce the amount of workload, so that only the authentic messages come through, thus easing up the burden to a certain degree.