Security teams are drowning in a flood of alerts. Alert fatigue affects even mature security teams. Few organizations can support the number of analysts that would be required to effectively handle the number of alerts their IDS will generate. If they can’t hire their way out of this problem they need to find a way to reduce the number of alerts their teams handle and increase the amount of information they have about those alerts.
The majority of security alerts generated by intrusion detection systems are false positives and many are redundant or duplicates. Other alerts simply don’t correlate to the enterprise’s actual risks. What is needed is fewer alerts but more data around those alerts; contextual data that will allow an analyst to see a bigger picture and to make connections between alert traffic and everything else happening on the network. Evaluating risk and then building rules to align with those risks can reduce the flow of alerts and more data around those alerts will allow security analysts to gain the insight needed to make informed risk decisions.
There is no shortage of commercial solutions available, each addressing a specific aspect of protecting the enterprise from attack. Each of these disparate security solutions sends out a notification in its own format to its own console, leaving analysts to scurrying among multiple terminals to come up with a few meaningful clues about the overall threat activity.
Ed Hammersla wrote at GCN, “With organizations grudgingly accepting an “assumption of compromise” as the new normal, today’s teams should advance beyond SIEM and build a unified, dynamic platform. At its core, the unified, dynamic platform is analytics-driven, establishing end-to-end visibility across the enterprise with the expressed intent of profiling attacks, unearthing patterns in threat activity and tracking movements of intruders. The newer generation, dynamic analytics platform is purposeful, features a single intuitive interface to all data and delivers powerful correlation, modeling and visualization capabilities to discern complex attack profiles. It can predict threats and gain insights from them to make informed decisions about mitigation and remediation.”
To bring you an inside view of what one company is doing to build a system that will combat alert fatigue we talked with John Trauth, President & CEO at Bricata and Kent Wilson, Vice President, Customer Experience at Bricata. Bricata distinguishes itself from other network security tools because it combines network visibility, threat detection, threat hunting, and post-detection actions together into a single platform.
John told us, “The company was founded in July 2014 and was formulated under the premise of building a better mousetrap.” He explained that even before the inception of Bricata he was aware of widespread frustration with network intrusion detection systems often expressed with the phrase “alert cannon.” Security professionals have complained for years about not having enough context behind the flood of alerts they receive. He wanted to find a way to provide network intrusion detection with full packet capture to provide that contextual understanding.
Cyber threats are complex and ever-evolving and require a range of detection and protection technologies to fully protect a network. Bricata employs multiple detection techniques that include signature detection, stateful anomaly detection, and artificial intelligence which simultaneously optimizes detection rates and minimizes false alerts.
John said, “We are a full spectrum threat detection platform that provides comprehensive network traffic visibility while also enabling threat hunting. We have integrated two different types of alert engines. One being Suricata which is a 64-bit multithreaded signature based platform and the other being the CylanceINFINITY engine which is, of course, algorithmic and is based on machine learning and artificial intelligence. We have integrated the Bro engine with both of these other engines so that we can correlate all that network metadata directly with alerts.”
Kent added, “At the end of the day, what we’ve done with Bricata is brought together all of the tools that the tier-one analyst and the tier-three analyst are going to need and combined them into a single analytic platform. This ensures that the tier-one analyst has all the information they need to pivot away from an alert and get the right information to the remediation folks but also what the tier-three person needs in order to make the appropriate determination if there are potentially dangerous things going on in the environment.
Each enterprise must evolve to confront today’s threats. By employing a dynamic analytics platform that provides contextual data, security teams will be better prepared to meet those threats. No doubt the continual building of a better mousetrap is the future of cybersecurity.
By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief