Security alerts are all about value to a network administrator or security officer, and more alerts don't necessarily...
translate into increased security.
"I get two to four alerts in a typical day. I find that to be enough," said Lisa L. Moris, senior systems programmer and network engineer for Hennepin County in Minnesota. "If you subscribe to more, it usually just duplicates [information] without any additional, valuable differences in the alerts."
Moris is like many admins who try, often in vain, to fend off an avalanche of daily security information sent from vendors and clearinghouses like CERT. Yet admins who spend an increasing portion of their day gauging the severity and relevance of information in an alert are caught in a nasty Catch-22: Either lose precious time wading through the data, or ignore it and risk missing something that could have disastrous consequences.
"If the information is just replication of stuff you already have, then it can be annoying to have piles of it in your inbox," said Andrew Lee, co-founder and administrator of the Antivirus Information Exchange Network. "If it's consistently useful, then it's essential. I think there can be a danger of being overloaded, but it can depend on the situation."
Lee recommended keeping a watchful eye on what peers are saying during the early stages of an outbreak, as well as paying attention to user groups and discussion boards to determine how many others are affected. He also doesn't see a problem with a plethora of information, as long as it's timely, accurate and comprehensive.
"It's much easier to gauge the importance of something when you have a huge number of people all watching out," said Lee, who is also a Wildlist reporter. "For instance, if I ask if anyone else is seeing such and such activity on their network, and only a couple of people reply, that not only helps me, but it helps everyone else to know the sort of scale of the problem. If it's something serious, we can alert people and quickly deal with it. So, the key is not how much information you get, it's how good that information is."
A recent SearchSecurity online poll asked readers how many security-related mailings they subscribe to. Forty-one percent answered five to nine alerts, while 26% answered one to four. Of those polled, 12% admitted to subscribing to 15 or more.
Admins also must discern whether vendors are consistently crying wolf about potential outbreaks, a situation that Lee said is waning.
"There will always be some vendors that will hype something unnecessarily," Lee said. "Mostly it's improved greatly; it's now very public with such a connected world, so it can make them look really bad in the eyes of their customers if it turns out to be a damp squib, or they've over-hyped something."