An organization’s ability to respond to security threats depends on how quickly it can spot those threats in all of the alert data generated by its detection systems. Too much data can complicate matters just as significantly as too little of it.
Drowning in data
Studies show that security teams at many organizations are drowning in so much log, alert and threat data from their internal systems and external intelligence feeds that they are having a difficult time making sense of it all.
Nearly three-quarters of the respondents in a survey of 125 organizations conducted by the Enterprise Strategy Group said that they ignore alerts from their IT security systems because of the sheer volume of data.
In a separate Ponemon Institute survey, around seventy percent of organizations that have implemented a threat intelligence capability — which combines data from internal systems with external threats feeds — said they were getting no actionable information because of data overload.
In many cases, the situation is the result of security organizations not having enough staff, not having the technology to address the problem or both, the surveys showed. Organizations must address this problem.
In recent years, threat actors have shown a consistent ability to get past enterprise defenses and lurk inside networks for months — sometimes even years — without being noticed. Organizations need the ability to spot and weed out such intruders before they do major harm.
Here are some tips for managing data overload.
Implement a SIEM capability
A security information and event management system (SIEM) gives organizations a way to collect and centralize log data and alerts from their network, application and host-based security systems. It enables near real-time correlation and analysis of data from multiple sources so security teams can quickly identify threats they would have missed otherwise.
Large organizations have used SIEM for years but smaller and midsize firms have tended to shy away from the technology because of the perceived cost and complexity associated with it. Many believe that without the proper operational processes in place, SIEM tools actually contribute to the data overload issue as much as any other factor.
But SIEM remains a central point for enterprise security monitoring, and organizations of almost any size can benefit from it. Multiple vendors offer SIEM as a managed service for those that do not have the resources or are unwilling to implement the capability on their own.
Watch out for those threat feeds
External threat feeds enable organizations to get context about the threats they face and figure out a proper response to them. The feeds give organizations a way to compare indicators of compromise and artifacts, such as URLs, IPs and security hashes gathered from external sources with internal telemetry, to enable quicker production and deployment of fixes across the enterprise.
The key to extracting value from such data lies in being selective about the feeds to which you subscribe. Having too many feeds only complicates matters and often results in duplicative data or data that is not relevant to your specific situation pouring in.
When signing up for a threat feed, make sure the data you are getting is useful and helps add context to your internal telemetry. Your threat feeds should help you get an idea of the threats that are specific to your organization so you know how to prioritize a response. Anything else is redundant and only adds to threat overload.
Merge threat intelligence and SIEM
Organizations that have implemented a threat intelligence capability should consider integrating data from their external feeds with data in their SIEM system. Such integration can make it easier for security teams to compare threat and attack artifacts, such as IPs, file domains and URLs, gathered from external sources with log and alert data from internal systems. It can enable quicker evaluation of external threat information and help organizations prioritize their response more efficiently.
Current generation SIEM tools have limits to the extent of threat data they can consume, so you have to be selective about the type of data that you pour into them. Integrating threat intelligence feeds with SIEM can also be challenging for many organizations, but numerous services and platforms are available to help you achieve that goal.
Know what makes you a target
Knowing what makes your organization appealing from a cyber criminal's point of view can help you focus your resources on the threats that matter the most. If you know, for example, that threat actors are going to be most interested in your organization because you handle credit and debit card data, focus on data that indicate threats directed against your payment systems and networks.
Subscribe to feeds that give you information on attacks and threats directed against organizations similar to yours. Similarly, if the primary concern is service disruption or outage, focus on collecting and analyzing data that indicates threats to your ability to deliver uninterrupted service, such as DDoS attacks.
While you cannot ignore other threats to your organization, focusing on the ones that matter the most can help you prioritize responses and ensure optimal use of your security resources.
How have you dealt with the increase of data? Are you looking for more advice? Let us know in the comments and we can help set up a plan to tackle the overload and help make a manageable environment.