Blog post

Who Validates Alerts Validated by Your Alert Validator Software?

By Anton Chuvakin | March 06, 2015 | 6 Comments

SIEMsecuritymonitoringanalytics

Pardon the idiotic title, but some recent discussions around security analytics have made this question practically relevant.

So:

  1. You have a SIEM and other security technologies focused on detection and alerting
  2. As a result, you have lots of security alerts – and you think it is too damn many!
  3. You don’t have enough people to tune the systems that produced the alerts so that they produce fewer/better alerts
  4. Also, you do not have enough skilled SIEM people to triage / validate the alerts
  5. Instead, you want to buy a new, “magic bullet” tool that promises to “make better alerts”
  6. Your security budget: $$$$$. Budget after the magic tool purchase: $$
  7. The magic tool is deployed and – abracadabra! – your 23,543 alerts become 17 alerts
  8. What just happened? Where did they go?!
  9. Now you need skilled people to a) confirm that alerts that remained really do matter, b) that these alerts matter the most to you and also to c) confirm that alerts that vanished don’t matter
  10. If a), b) and c) are not to your perfect satisfaction, you now need skilled people to tune the new tool.
  11. Result? You bought a new tool to avoid hiring people, and now you need to hire people to run this tool. In fact, you needed, 3 security analysts @ $80K/year, and now you need a security data scientist @ $240K/year …
  12. Explain :–)

On a more serious note, we make a lot of exciting predictions on the rise of smart machines, but for the foreseeable future said machines will require smart people to run them …

Blog posts on the security analytics topic:

Comments are closed

6 Comments

  • John Guzman says:

    Great observations Anton – again! Too many businesses think they have their bases covered, when in reality, they don’t. Tools are only as good as the experts utilizing them.

    • Thanks for the comment, John.

      >Tools are only as good as the experts >utilizing them.

      You can say that and I can say that — and there still be A LOT of businesses who will buy a box and NOT hire a person to run it…

  • Posted somewhat long comment on LinkedIn:
    https://www.linkedin.com/pulse/re-who-validates-alerts-validated-your-alert-software-igor-baikalov
    Very interesting topic, couldn’t resist.

  • Bob Pratt says:

    Anton, I definitely agree with your main point that these new products don’t replace the need for people who know what they are doing, but I think if someone gets a fewer alerts product that requires a security data scientist to use they bought a bad product.
    I couldn’t resist a longer response, including a Princess Bride reference, at http://caspida.blogspot.com/2015/03/fewer-alerts-vs-better-alerts.html

    • @Bob Thanks a lot for the comment. Indeed, I was a tiny bit harsh on the vendors, but then again – tuning a SIEM requires security-skilled resources, but tuning some of the novel tools DOES require both security- AND statistics-skilled people…