Using Data Science and Automation to Combat Alert Fatigue
A perfect storm of factors has combined to make the lives of people trusted with securing organizations difficult. Threats are escalating in both complexity and severity — in 2020, the average sum paid by victims of ransomware attacks swelled to over $178,000, and malicious actors are now organized to the point of behaving like legitimate businesses offering a “service.”
Compounding the situation, there’s a well-documented talent shortage in the field. Security operations must run — and be staffed — 24 hours a day. Last year, Forbes reported that “the U.S. has less than half the cybersecurity candidates that it needs to handle increasing demand.” Burnout and turnover are notoriously high; a recent poll of security and SOC decision-makers “found that 70% are utterly stressed with IT threat alerts.”
Too many low-value alerts
In a 2021 survey of the profession, respondents said a top challenge is “filtering the noise out of alerts so we can focus on the right signals.” And no wonder: On average, security teams receive over 11,000 alerts each day — and can address only 72% of them. Infosecurity Magazine writes that “more than a quarter of security alerts fielded within organizations are false positives;” meanwhile, another report says as many as 75% of all alerts may be false positives.
Whatever the precise number, we know a ceaseless torrent of alerts flows into most SOCs at a rate no human could possibly match. Yet they still demand immediate responses — attackers are operating at machine speeds, and delays can mean devastating breaches.
A new approach is needed to assist the beleaguered humans in the Security Operations Center: one that prioritizes data science over legacy security models that can no longer keep up.
How data science helps
Through data science, machine-learning models improve the signal-to-noise ratio through high-fidelity alerts. By providing useful detections that are truly indicative of malicious behavior, threat hunters are empowered to find the attacks without a lot of false positives. This reduction in noisy, low-value notifications is a tremendous boost to security staff plagued with more alerts than they can feasibly handle.
ActZero’s team of data scientists takes a multi-pronged approach to threats, building anomaly detection and supervised models, as well as gathering from logs across multiple data sources (such as endpoint, network, and cloud) to better cover the attack surface. Armed with large amounts of high-quality, diverse data to establish a baseline, the models allow security professionals to determine exactly what “normal” activity looks like. The models are trained to detect unusual activity and bring it to the attention of security analysts.
Creating optimal alerts
It’s clear that not all alerts are created equal — so what makes for an informative and actionable alert? Beyond being accurate indicators of attack, they should ease alert fatigue by speeding up investigation and response, and offer context to reduce anxiety, especially at volume. To best empower the SOC, alerts should provide detailed information, recommend steps for remediation, and even be proactive. Read more in our data scientist Luke Wolcott’s blog entry “Optimal Security Alerts: Specific, Relevant, Actionable, Scalable.”
An effective and efficient security operation
Of course, there’s more to combating alert fatigue than ensuring stronger alerts. Ultimately, how your analysts and threat hunters are spending their time should be optimized for efficiency.
False positives not only contribute to alert fatigue but also prevent automation of responses, as false positives can disrupt business operations — a responsive action (like quarantining a machine or killing a process) can actually be disruptive in and of itself when there’s no genuine threat present to justify it. With high-fidelity detections established, we investigated where automation stood to save SOC personnel the greatest amount of time, without sacrificing the quality of response.
Following ActZero’s acquisition of IntelliGO, our team performed a full standardization and value assessment on SOC activities, prioritizing time spent on high-impact security activities. Innovative assessment methods — like giving each person in the SOC physical devices for tracking activities — allowed us to be granular with activity data and identify the best opportunities for automation. We also gathered data on the effects that context switching, specialization, randomization, and even the time of day can have on the productivity and efficiency of the SOC.
Additionally, we performed ongoing identification of automation use cases to reduce manual work wherever possible. These included both traditional process refinement and software automations, as well as new ones afforded by machine-learning detections. With so few false positives, we were able to automate responses to high-severity, high-fidelity indicators of attack.
As you can see, combating alert fatigue is no small task — but given the depth of the problem as outlined above, and ActZero’s requirements for scalability, it is necessary to remain effective in combating threats. Taken together, data science accuracy enables automation, and this automation enables efficiency. Greater efficiency yields a depth of focus to tackle threats that would have been missed in a SOC subject to alert fatigue.
Enter the “Hyperscale SOC”
ActZero’s innovative approach centered on data science empowers security professionals to cover more ground with fewer resources. To learn more about how we’re using data science to combat alert fatigue, download your free copy of ActZero’s white paper “The ‘Hyperscale SOC’ and the Minds Behind It: A Machine-learning Foundation for Effective Cybersecurity” here. You’ll hear directly from a variety of data scientists and security engineers working together to advance the capabilities of machine learning, in order to better identify suspicious scripting, defend the cloud, and provide machine-speed ransomware detections.