Here is a fun one: everybody whines that organizations have too many alerts, even the makers of the tools that produce alerts. Everybody! Everybody!! Everybody!!!
When people whine [which, BTW, I totally respect – whining is an essential human right, as we all know], their lamentations often obscure a few basic truths about alerts.
- Some organizations don’t have too many alerts, they just have too few people – their alerts are all legitimate alerts that need human triage; automation already did its job, now people must.
- MSSP is often seen as “solution for ‘alert problem'” – but guess what MSSP would send you?! Yup, ALERTS! Thus, it is not The Answer. Are there cases where MSSP sends you ‘bad’ alerts that waste your time? You bet!
- If you have a magic Wand of Alert Handling, and you wave it – and achieve perfect [however defined!] alerts handling, is that a WIN? Yes, a WIN – of a 1998 battle … in 2015.
- Specifically, perfect alert handling does not give you ANY recourse against things do not produce an alert, even a low severity one. This is definitely the case for the “unknown unknowns” and likely also for “known unknowns.”
- Still, we need alerts with better context, we need more automation, we need deeper data on endpoints/traffic, etc – however, there will always be alerts, and some will be false. If your “false positive” rate is zero, I can bet anything that you are missing the important, but weak signals… and they do matter!
There you have it — when you think of channeling all your energy towards better alert handling, keep this in mind!
P.S. I should really blog about vulnerability management, our current research. So, the next one will be on it….
Possibly related blog posts:
- On Space Between Detection and Response
- Who Validates Alerts Validated by Your Alert Validator Software?
- Acting on MSSP Alerts
- Alert-driven vs Exploration-driven Security Analysis
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.