Go To Home

Drowning In Data – The Event Fatigue Problem

by Smokescreen Team

Event fatigue

Modern security systems generate lots of alerts and logs for security teams to look at and lead to event fatigue. They’ve become like email inboxes. You start with a clean slate but over time start getting all these emails that you don’t want. Before you know it, you’ve stopped looking at most emails making it highly probable that you’ll miss something important. Unbelieveably, it’s considered perfectly ‘normal’ for a security solution to generate hundreds or thousands of alerts for the hapless defender to sift through. Approaches such as machine learning and corellation are supposed to help, but in practice, they only help make post-mortem analysis easier.

‘Event fatigue’ is a real concern. It’s not even surprising to seasoned security professionals to find that the alerts from monitoring systems are ignored, or even worse – disabled, often in the name of ‘tuning’ the system.

The consequences? Public information has it that Target Corp’s anti-malware solution faithfully raised alerts about a possible malicious binary, however, they were ignored.

Only after an analyst has waded through the log data, analysed the events and removed false positives, are they able to deal with the actual threats.

In practice, this process never even occurs because it’s so expensive and time-consuming. Nobody has the time to pro-actively convert gigabytes of data into meaningful information. It only happens after an incident occurs.

Is there a better way? Why not design systems that only alert when something meaningful truly happens? When the event is the anomaly, you save time, money, and can actually get around to dealing with real threats.

This is one of the primary benefits of decoy based systems. By definition, any traffic is malicious, and any event is an alert that requires your attention.

We’ve all tried the old way. It didn’t work. It’s time for something better.

#Uncategorized

Continue Reading

  • Finding active defense opportunities in a pentest report

    Pentest reports tell a story. By asking why a pentester made certain choices, you can find opportunities to influence attacker behavior and actively defend your network.
    By Sudarshan Pisupati
  • Four MITRE Shield Techniques You Can Implement in 2021

    For free, of course. At this point, I’m positive that you’ve heard of MITRE Shield. It’s a new active defense knowledge base released by MITRE – stuff they’ve been implementing for over a decade to engage adversaries and derail attacks. They’ve opened it up to everyone, and for the first time perhaps, the infosec community […]
    By Sudarshan Pisupati
  • Active Defense – Incident Response’s New Best Friend

    Active defense provides defenders with a shared vocabulary and framework for actively dealing with threats instead of passively reacting to them.
    By Sudarshan Pisupati
  • Have you tried out IllusionBLACK yet?
    • Detect zero-days, APTs, and insider threats
    • 10x the detection capabilities with 1/2 the team
    • Get started in minutes, fully functional in hours
    Schedule a demo
    Go to home

    Simple solutions for detecting and containing threats. Working with us does not break the bank or your spirit. We’re the company of choice for offensive security teams with a Net Promoter Score of 70+.

    © 2015-2021 Smokescreen. All rights reserved.

    Solutions For
    Web Application AttacksLateral MovementRansomware AttacksTargeted ThreatsSocial EngineeringMalware-less Attacks