Here is a fun one: everybody whines that organizations have too many alerts, even the makers of the tools that produce alerts. Everybody! Everybody!! Everybody!!!
When people whine [which, BTW, I totally respect – whining is an essential human right, as we all know], their lamentations often obscure a few basic truths about alerts.
- Some organizations don’t have too many alerts, they just have too few people – their alerts are all legitimate alerts that need human triage; automation already did its job, now people must.
- MSSP is often seen as “solution for ‘alert problem'” – but guess what MSSP would send you?! Yup, ALERTS! Thus, it is not The Answer. Are there cases where MSSP sends you ‘bad’ alerts that waste your time? You bet!
- If you have a magic Wand of Alert Handling, and you wave it – and achieve perfect [however defined!] alerts handling, is that a WIN? Yes, a WIN – of a 1998 battle … in 2015.
- Specifically, perfect alert handling does not give you ANY recourse against things do not produce an alert, even a low severity one. This is definitely the case for the “unknown unknowns” and likely also for “known unknowns.”
- Still, we need alerts with better context, we need more automation, we need deeper data on endpoints/traffic, etc – however, there will always be alerts, and some will be false. If your “false positive” rate is zero, I can bet anything that you are missing the important, but weak signals… and they do matter!
There you have it — when you think of channeling all your energy towards better alert handling, keep this in mind!
P.S. I should really blog about vulnerability management, our current research. So, the next one will be on it….
Possibly related blog posts: