30 Days of Compliance Q&As #15: How Do I Deal With “Alert Overload” and See What Alerts Are Important?

The latest news in the recent Target breach was that the security was alerted that there were irregularities in the system, yet it took them almost two weeks to act on them:

“The disclosure came after Bloomberg Businessweek reported on Thursday that Target’s security team in Bangalore had received alerts from a FireEye Inc security system on November 30 after the attack was launched and sent them to Target headquarters in Minneapolis.

The FireEye reports indicated malicious software had appeared in the system, according to a person whom Bloomberg Businessweek had consulted on Target’s investigation but was not authorized to speak publicly on the matter.

The alert from FireEye labeled the threat with the generic name “malware.binary,” according to Bloomberg Businessweek. Two security experts who advise organizations in responding to cyber attacks and both have experience using FireEye technology said that security personnel typically don’t get excited about such generic alerts because FireEye does not provide much information about those threats.

The experts said that they believed it was likely that Target’s security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious.

‘They are bombarded with alerts. They get so many that they just don’t respond to everything,” said Shane Shook, an executive with Cylance Inc. “It is completely understandable how this happened.’

John Strand, owner of Black Hills Information Security, said that it was easy to paint Target as being incompetent, given the severity of the breach, but that it was not fair to do so.

‘Target is a huge organization. They probably get hundreds of these alerts a day,’ he said. ‘We can always look for someone to blame. Sometimes it just doesn’t work that way.'”

Read the full article from Reuters here.

What can we learn from Target?

Unfortunately, we see this situation almost every day in our customers’ data centers. As companies add more and more IT monitoring tools, they compound the amount of alerts that they receive. The result? Alert overload … and the inability to understand what is important – and needs immediate attention – versus background “noise.”

What can you do to protect yourself? 

1. Train your employees on the tools you have purchased.
2. Have policies and procedure to deal with detecting, isolating, and cleaning malware or viruses off devices in your environment.
3. Practice, practice, practice. Do announced and unannounced tests to make sure your staff can handle security incidents and follow your incident procedures.
4. Consolidate your event/log information into a single solution that can cross correlate information to pinpoint issues quickly. This will reduce clutter of information so you can focus on the important issues reducing the noise in the environment.

AccelOps helps companies understand the different between alert “noise” and what needs immediate action. Our customers are able to consolidate and prioritize information from multiple sources and understand context (how things interact together) and the facts (who, what, where, when, why and how).

Contact us if you’d like to talk about how to understand and make sense of your alerts. We’re here to help.