Blog post

Five Basic Forgotten Security Alert Truths

By Anton Chuvakin | September 25, 2015 | 3 Comments


Here is a fun one: everybody whines that organizations have too many alerts, even the makers of the tools that produce alerts. Everybody! Everybody!! Everybody!!!

When people whine [which, BTW, I totally respect – whining is an essential human right, as we all know], their lamentations often obscure a few basic truths about alerts.

These are:

  1. Some organizations don’t have too many alerts, they just have too few people – their alerts are all legitimate alerts that need human triage; automation already did its job, now people must.
  2. MSSP is often seen as “solution for ‘alert problem'” – but guess what MSSP would send you?! Yup, ALERTS! Thus, it is not The Answer. Are there cases where MSSP sends you ‘bad’ alerts that waste your time? You bet!
  3. If you have a magic Wand of Alert Handling, and you wave it – and achieve perfect [however defined!] alerts handling, is that a WIN? Yes, a WIN – of a 1998 battle … in 2015.
  4. Specifically, perfect alert handling does not give you ANY recourse against things do not produce an alert, even a low severity one. This is definitely the case for the “unknown unknowns” and likely also for “known unknowns.”
  5. Still, we need alerts with better context, we need more automation, we need deeper data on endpoints/traffic, etc – however, there will always be alerts, and some will be false. If your “false positive” rate is zero, I can bet anything that you are missing the important, but weak signals… and they do matter!

There you have it — when you think of channeling all your energy towards better alert handling, keep this in mind!

P.S. I should really blog about vulnerability management, our current research. So, the next one will be on it….

Possibly related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Matthew Gardiner says:

    I see old school SIEM MSSPs that collect logs and generate alerts of marginal value giving way to MSSP hosted virtual SOCs that take on much more of the detection and investigative load.

  • Matthew Gardiner says:

    And yes organizations definitely need deeper visibility by leveraging endpoint & network data! It doesn’t matter how good the analytics are if the underlying data doesn’t have the signal(s) in the first place.