Super Cyber Fridays!
Join us TOMORROW, Friday [12-13-24], for "Hacking Technical Debt"

Join us Friday, December 13, 2024, for “Hacking Technical Debt: An hour of critical thinking about strategically modernizing your infrastructure.”

It all begins at 1 PM ET/10 AM PT on Friday, December 13, 2024 with guests James Hauswirth, principal consultant, GuidePoint Security and Samantha Jacques, vp, clinical engineering, McLaren Health Care. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, GuidePoint Security

Defense in Depth
How Can We Fix Alert Fatigue?

Useful alerts are critical in cybersecurity. But getting inundated with useless alerts wastes resources and our attention. How do we build out an alerting system that actually works?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Itai Tevet, CEO, Intezer.

Build for what you can handle

Your SOC today. How many alerts is your staff prepared to handle? If you currently have a system that delivers more, it only has one end result: staff burnout. "Generating a thousand alerts a day when capacity can handle 100 is 'begging' for trouble. Business and SecOps are not aligned. This assumes that you have the basics taken care of, without which this is all meaningless," said Subbarayudu Darisipudi of Optiv. We cast too wide a net for alerts in the hopes of catching everything. But Nathan A. Larson thinks that’s a doomed philosophy, "Ignore what the vendors tell you. 100% accuracy does not exist, any more than 100% secure. Trust the architects and vulnerability engineers. Focus on the irreplaceable assets the business cannot lose. Protect against the threats that are most likely, easiest, automated. Review, revise, repeat."

Rethinking alerts

Have we missed a fundamental opportunity with alerts? Instead of being something to clear out, alerts tell us about our infrastructure. "Stop treating them as ‘alerts’ and start treating them as ‘data points.’ Some data points will cross a threshold either individually or in combination. I firmly believe that some form of AI/ML needs to be put in so that this data is consumed, correlated with other business-relevant data points, and risk-based decisions are made," said Bil Harmer, CISO of Craft Ventures. For Brian Andrzej of Tanium Cloud, we may already be at a point where we can build out data points from alerts into a system that informs the business, "Alerts are just another set of data, just like logging. Treat alerts as observables from your various tools. Build your detections, time windows, and attributions on top of those datasets to create actionable events for your automation and humans to investigate. While an alert may not be actionable in initial detection, it may have value as you build your attribution to a possible event as you build out your timeline."

Building trust into your system

Systems for handling alerts must be built with a core of trust. Using fear to guide our infrastructure is a great way to maintain stress. "The problem with alert fatigue is all about fear. Fear that something bad will happen, and you’ll discover that you had an alert for it, but you didn’t pay enough attention. So, the key thing here is trust. Trust that the tuning or the prioritization will tell you which alerts I need to drop everything and address and which I can ignore completely and everything else in between," said Andrew Wilder, CSO at Vetcor. One way to shift left on alerts is to understand better the tradeoffs you’re making in your detections. Jason Keirstead of Simbian explained the issue, "Alerts come from detections. Detections can either be specific or generic. The problem is a program management issue. Every time an alert is closed as a false positive, an action should be taken such that that specific detection never creates a false positive for that reason again."

Seeing the bigger picture

Focusing on alerts in isolation is like only focusing on the symptoms of a disease. If we want to reduce alert fatigue, we need a wider view. "We are fatigued with alerts because the solution to alerting problems requires a system approach, whereas we try to solve it as a point problem. The detection mechanism that generated the alert did so because of some kind of rule match but couldn’t see beyond its slice of view as to the context - both organizational and threat side - where did it come from (threat)? Is it relevant? What’s the impact? It’s like solving a multi-nominal system with half of the variables. Another challenge is the feedback loop that could throttle the volume down. But we don’t have any because we don’t have a system," said Mihir Mohanty of Stellar Cyber. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode.

Thanks to our podcast sponsor, Intezer

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Sanders, president, ISSA International.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

"Can’t get work after over 10 years experience" (More here)

"Users getting cred stuffed with invalid pw. How do you handle it?" (More here)

"What’s an interesting fact you tell friends and family about cybersecurity?" (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.