Curing security alert fatigue while still protecting your cloud infrastructure
The results of a recent survey published by the Cloud Security Alliance reveal that security professionals often feel deluged by alerts and notices, causing them to have "alert fatigue.
Two important findings of the survey show that:
4% of IT security professionals say that the alerts they receive lack actionable intelligence to investigate, and another 31.9% report that they ignore alerts because so many are false positives.
The average enterprise generates nearly over 2.7 billion actions in cloud services per month (e.g. login, upload, comment), of which 2.5 trillion on the average are anomalous. Out of all of those events, only 23.2 billion are actual threats, a ratio of nearly 110:1
The challenge IT security professionals face is sorting through these alerts and informational messages. They know that some of these messages are important and require immediate attention.
Other messages provide useful information, but don't require immediate attention. Still other messages just represent the normal functions in the enterprise or cloud computing environment and don't require attention at all.
Unfortunately, IT professionals can't easily determine what class of alert the messages represent until they've examined them, and important messages are being missed in the deluge of other messages.
Security analytics (on-premises or cloud) should be interconnected to the data they are analyzing at a more fundamental level, so that staff members no longer need to examine each alert or informational message, evaluate all details behind the events leading up to the alert, and then determine what to do.
These analytics services should also be available at the edge, close to where much of the data that needs analysis is being created.
High-speed, low-latency interconnection between data and security analytics, especially cloud-based analytics, helps scale analytical capabilities and control and move large volumes of data faster.
By leveraging real-time analytics to better screen alerts, you gain greater control over the number of alerts that you need to respond to quickly.
Machine learning and predictive analytics tools that analyze the alerts and the underlying data contained in operational logs make it far easier for busy IT professionals to take action when needed.
Furthermore, these tools should compare the operational data to known issues related to the use of popular and commonly deployed applications, development environments and database engines. The tools should then provide concise, helpful, actionable recommendations for those IT professionals.
A distributed security infrastructure that resides out at the edge, which leverages an Interconnection Oriented Architecture (IOA) strategy, should be the foundation of a well thought out, interconnection-first approach to security.
Deploying an IOA strategy means that the IT security platform will be able to react in real time and adapt quickly to change, while securely connecting people, locations, clouds and data within a digital ecosystem.
Article by Larry Hughes, Equinix Blog Network