sb-nz logo
Story image

Cybersecurity – be prepared for alert fatigue and understand the context

13 Mar 2018

Every week it seems like there’s another major cyber security breach. Last year, credit ratings agency Equifax lost 147.9 million customer records, including social security numbers and other identifiers when a web application wasn’t patched properly, giving hackers access to sensitive data.

Ride sharing company Uber was also subject to a breach in 2016, where hackers stole 57 million driver and customer records. Closer to home, the ‘Alf’ hack of a defence subcontractor saw commercially sensitive information stolen due to poor IT security, including the use of default passwords such as “guest” and “admin”.

While data breaches can often come down to difficulties with patch management processes, or the use of default user accounts and passwords, there are also other issues at play.

A lack of skilled IT personnel is a contributing factor. According to a Frost and Sullivan report – The 2017 Global Information Security Workforce Study – there will be a world-wide shortfall of 1.8 million information security professionals by 2022-3. In Australia, demand for cyber security related jobs is expected to grow by at least 21 per cent over the next five years.

In addition to the now well-recognised “cyber skills gap”, existing security teams are finding it difficult to keep up with the overwhelming amount of alerts they need to wade through to find the actual incidents they should be investigating to stop the next breach.

The result is something we are seeing more and more of in organisations across the region – alert fatigue. How do we reduce the strain on existing security teams – especially when that team is a single person wearing multiple hats – and at the same time make it easier to bring in new staff and build their skills and confidence?

One of the common mistakes we see many organisations make is to simply add a new security tool every time a new threat emerges. A new type of virus or ransomware leads to a new anti-virus solution. We now have next-generation firewalls and intrusion prevention systems as well.

These are all incremental tools added to the existing tools to combat a specific security challenge. The downside to adding new tools is that unless they are integrated and can provide an environment that works together, all they will do is simply create more alerts, which creates an even greater workload, and contributes even further to alert fatigue and potentially missed incidents.

Using integrated tools that provide a deeper level of visibility is one step an organisation can take to combat existing and emerging threats. But before investing in more tools, different parts of the organisation need to start talking to each other more. This means that IT needs to talk to the board and business owners about where their information crown jewels live, and what that valuable data is.

Part of this process is conducting a business risk assessment to figure out what is being protected, and, at a very core level, what the business exists for. This is almost an existential question, focused on what an organisation does, and why it does it. This process will also inform a crucial understanding of what would happen to the company if that valuable information was stolen or exposed in a breach.

For some businesses, that critical information will be customer and credit card data. For others it will be their “secret sauce”: intellectual property, competitor intelligence, or merger and acquisition plans. In the case of the ‘Alf’ hack, it was sensitive defence plans and information.

For Equifax, it was consumer credit information, while with Uber, the lost data was credit card and identity information. What’s valuable will vary from organisation to organisation, and understanding where that valuable information exists is essential to provide security staff with the business context they need to do their jobs well.

Once an organisation knows what that valuable information is, then an additional step to add context is understanding what systems that data lives on, where any dependencies are, and how they are connected, both internally and to the rest of the world. A server that works as the front end to an application might also have connections to another server containing valuable data, or it might contain valuable information itself.

When it becomes clear where information lives, it makes it easier for security staff to respond to an alert. Having centralised context data means that when an alert is raised, IT doesn't need to spend hours trawling through spreadsheets or other information sources in an attempt to understand what systems are involved.

By providing an understanding of the business, and putting the business context into an alert when a ticket is raised, the amount of time needed to investigate it is dramatically reduced – helping to reduce the aforementioned alert fatigue.

Because they have the full picture at hand, staff can then also determine whether an alert requires further investigation. This in turn cuts down on alert fatigue, and allows security departments and security personnel to maximise their time spent policing the electronic borders of the company against major threats rather than chasing down false alerts.

Alert fatigue is real. By providing context and business understanding, organisations can cut down on this fatigue, and gain an understanding of what they need to protect, in order to stay out of the news headlines and remain in business for today, and tomorrow.

Article by RSA advisory systems engineer, Chris Thomas.

Story image
Juniper Networks expands security offering for remote working
Juniper Networks has launched new solutions to enhance work from home security.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Download image
Enterprise leaders discuss what makes up networking infrastructure
NFV is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
BayCom partners with NICE inContact to offer cloud contact centre platform in NZ
“With our extensive experience in the industry, BayCom has the ability to design, implement and support CXone nationwide, providing organisations with an industry-leading Contact Centre as a Service (CCaaS) solution to deliver on their customer experience strategies.”  More
Story image
Report reveals relationship between boardroom and cybersecurity investments
“While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value."More