A recent survey from the Cloud Security Alliance and Skyhigh Networks, titled IT Security in the Age of Cloud,...
showed a significant number of IT and security professionals are having trouble drinking from the proverbial security fire hose, and it just keeps getting more difficult. Nearly a third of the 228 respondents said they ignore network security alerts because there are too many false positives. Twenty-six percent of respondents said they receive more security alerts than they can investigate. These findings alone are not only a breach waiting to happen, but they essentially negate a significant portion of everything that has been done to improve security in the enterprise.
The study also found that 40% of respondents claim there's a lack of actionable intelligence in the network security alerts they do receive. What does that say about the security controls and processes they've invested in to this point? Oddly enough, a majority of respondents (53.7%) said their organizations plan to increase their security budget in the next 12 months. That begs the question: Are they just going to throw more money at the problem? The mantra is to simply invest more money and that will, presumably, fix everything. Unfortunately, information security programs aren't that simple. Quick fixes do not -- and never will -- work. What's needed to minimize these challenges in IT is a fresh look, and perhaps a significant retooling, of how information security is managed.
So how do IT and security pros move forward and get past this disarray with network security alerts? Everyone's situation is unique but there are some common strategies and tactics that can be utilized to gain some semblance of control over the situation. The first part is coming to an agreement on what matters. That is, what types of attacks against which specific systems in the network environment need the attention of IT and security staffs. This might involve enterprise applications in the DMZ combined with firewall and intrusion detection system (IDS) alerts. It might be internal-facing endpoints, perhaps involving DLP and malware protection. Whether it's external or internal, a security information and event management (SIEM) provider, managed security services provider or other entity might be involved. What new, or better, information is needed? Perhaps not enough information is being provided, or at least the right information, to help facilitate good decision-making?
I have found that, by and large, most problems related to network security alerts and the subsequent challenges and oversights are due to a lack of tuning of the security systems in use. Given the time constraints and lack of time management skills, combined with knowledge and training gaps related to products and security events -- what to look for -- many security systems are "set it and forget it." Unless there is continual measurement and subsequent tweaking of firewalls, IDS or intrusion prevention system, SIEM and the like, there's no possible way to achieve measurable improvements. Individual security systems must be treated as a feedback loop -- adjustments for which are then fed into the larger security program.
There are a lot of moving parts in properly setting and managing network security alerts, but the solution is simple. With user demands for simplicity and convenience, enterprises must set aside time and resources for this ongoing work to make security better. Otherwise, they're going through the motions, which serves to create a false sense of security and sets everyone involved up for failure over the long haul.
Find out the best way to manage the endless deluge of security alerts
Learn how to best conduct an information security assessment
Read how false positives can be reduced in security alerts