One of the challenges of modern threat protection solutions is the sheer number of alerts they generate. IT security teams today are already inundated with alerts – resulting in “alert fatigue”. A survey by the Cloud Security Alliance recently found that half of enterprises have six or more tools that generate security alerts. Among IT security professionals, 40.4% say that the alerts they receive lack actionable intelligence to investigate and another 31.9% report that they ignore alerts because so many are false positives. With the enormous volume of events generated by cloud usage – an average of 2 billion transactions each month at the average enterprise – it’s important that a cloud threat protection solution not add to this noise.
So why is alert fatigue dangerous and how can enterprises minimize it? A recurring pattern in high-profile data breaches is that intrusion alerts and alarms do go off, but due to the sheer number of alerts being triggered, they simply get ignored. In the Target breach of 2014, which cost the company $252 million and led to the resignation of its CIO and CEO, one of the company’s security products correctly detected the breach. However, due to the high volume of alerts and the frequency of false alerts, the company’s IT security team ignored it.
Alert fatigue is a serious barrier to effectively stopping threats to data. As mentioned earlier, 40.4% of IT professionals claim that the alerts they receive lack actionable insight they need to investigate, while 27.7% of respondents stated they experience incidents which don’t generate alerts at all. Alarmingly, 31.9% said they ignore alerts due to the high frequency of false positives. The cloud further exacerbates the situation. The average enterprise generates 2 billion cloud-related events a month, which could result in many unnecessary alerts. With this volume of transactions, cloud security solutions require high levels of alert accuracy.
The Cloud Threat Funnel
One way to decrease excessive false alerts is to think about cloud threats in terms of a funnel. The average enterprise generates nearly over 2.7 billion actions in cloud services per month (e.g. login, upload, comment), of which 2,542, on the average, are anomalous. An anomalous event is defined as one that is outside of behavioral norms and could indicate a potential incident. For example, a user logging in to Salesforce in Seattle and then logging in to her OneDrive account from London five minutes later is anomalous. It could indicate a compromised account. However, it could also indicate she signed on to VPN. Of the 2,542 anomalous events, only 23.2 are actual threats, a ratio of nearly 110:1 that reveals the potential scale of false positive alerts.
Taken together, the average enterprise experiences 23.2 cloud-based threats each month, including:
- 10.9 insider threats – such as a user downloading sensitive data from SharePoint Online and taking it when they join a competitor
- 3.3 privileged user threats – such as an administrator provisioning excessive permissions to a user relative to their role
- 6.2 compromised accounts – such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials
- 2.8 data exfiltration events – such as malware on a corporate laptop that exfiltrates data from an on-premises SAP application via Twitter, 140 characters at a time
Anomaly detection approaches today can sift through 2.7 billion events and reduce this number down to 2,542 anomalous events that appear abnormal. However, this number is still far too high for IT security teams to investigate each one. The challenge is, how does an IT security professional sift through all the anomalous events and pinpoint the needle in the haystack without investigating every anomaly? How does an organization build out the processes, people, and technology to focus on the 23.2 actual threats against a backdrop of noise created by everyday cloud usage?
While it may be difficult for a human to differentiate a false alarm from an actual threat without investigating every anomaly, advances in data science are making it possible for software to perform this same task with high rates of accuracy. Today, technology solutions can detect patterns of behavior that deviate, even in subtle ways that would be difficult to describe in a rule that covers all user activities, from the norm. By narrowing down anomalous events to a small number of likely threats, machine learning models make it possible for IT security teams to focus on actual threats. Get a free copy of the Definitive Guide to Cloud Threat Protection ebook to learn more.