Gartner Blog Network


Five Basic Forgotten Security Alert Truths

by Anton Chuvakin  |  September 25, 2015  |  3 Comments

Here is a fun one: everybody whines that organizations have too many alerts, even the makers of the tools that produce alerts. Everybody! Everybody!! Everybody!!!

When people whine [which, BTW, I totally respect – whining is an essential human right, as we all know], their lamentations often obscure a few basic truths about alerts.

These are:

  1. Some organizations don’t have too many alerts, they just have too few people – their alerts are all legitimate alerts that need human triage; automation already did its job, now people must.
  2. MSSP is often seen as “solution for ‘alert problem'” – but guess what MSSP would send you?! Yup, ALERTS! Thus, it is not The Answer. Are there cases where MSSP sends you ‘bad’ alerts that waste your time? You bet!
  3. If you have a magic Wand of Alert Handling, and you wave it – and achieve perfect [however defined!] alerts handling, is that a WIN? Yes, a WIN – of a 1998 battle … in 2015.
  4. Specifically, perfect alert handling does not give you ANY recourse against things do not produce an alert, even a low severity one. This is definitely the case for the “unknown unknowns” and likely also for “known unknowns.”
  5. Still, we need alerts with better context, we need more automation, we need deeper data on endpoints/traffic, etc – however, there will always be alerts, and some will be false. If your “false positive” rate is zero, I can bet anything that you are missing the important, but weak signals… and they do matter!

There you have it — when you think of channeling all your energy towards better alert handling, keep this in mind!

P.S. I should really blog about vulnerability management, our current research. So, the next one will be on it….

Possibly related blog posts:

Category: monitoring  philosophy  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Five Basic Forgotten Security Alert Truths


  1. Matthew Gardiner says:

    I see old school SIEM MSSPs that collect logs and generate alerts of marginal value giving way to MSSP hosted virtual SOCs that take on much more of the detection and investigative load.

  2. Matthew Gardiner says:

    And yes organizations definitely need deeper visibility by leveraging endpoint & network data! It doesn’t matter how good the analytics are if the underlying data doesn’t have the signal(s) in the first place.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.