The Hidden Overhead of Network Security—SIEM Alerts
A rising tide of network threats has created an arms race in security tool accumulation. These tools serve critical protection functions, but the flood of the incoming network threat traffic they’re processing (automated attacks, scans, and network probes) is causing a tsunami of SIEM alerts—and creating “alarm fatigue.” These days, the average North American enterprise fields around 10,000 alerts each day from its security systems—way more than their IT teams can possibly process—a Damballa analysis of traffic found.
And the trend isn’t reversing. Almost all CISOs and CIOs are planning for more detection solutions and devices over the next 12 months. Whatever those tools are (SIEM, network forensics, threat intelligence or Web application firewalls) they will add to the torrent of security alerts.
SIEM alerts are massively useful, when they are useful. In other words, extensive collections of disjointed log data can rapidly burn through your resources they try to sift through, comprehend, classify, and translate the information into meaningful action.
Each SIEM alert makes security teams:
- Log the event
- Define its scope
- Define if it’s a threat
- Figure out an action and a priority
- Document the action chain
- File the event
While some of this can be automated, you still need “eyes on target” to verify if your network is under attack or not. The Target breach is a great example. They had SIEM alert information around the problem, but failed to act on it. Why? Most likely because in a flood of SIEM alert traffic, it was filed under “unimportant.”
Any way to filter out traffic that is either known to be good or known to be bad, and doesn’t need to go through the inline security system screening, reduces the load on your security staff. With a reduced threat landscape, your security resources can focus on a much tighter band of information, and not get distracted by non-threatening (or obviously threatening) noise.
Want to find out what you can do to dramatically reduce your SIEM alerts? Register for our Webinar on Oct 14, 2015 with Analyst Jon Oltsik.