WE’RE HEARING as malware and virus detection gets more advanced, financial firms may find their IT departments overwhelmed by the volume of “suspicious activity” alerts that have to be investigated.
The “security alert overload” is a problem that companies are struggling to manage with their existing IT staffing and infrastructure, according to Neil Stratz, vice president for customer solutions at NetCitadel, a California-based provider of security threat analytics.
The workload issue comes at a time when hackers and cyber-crooks are getting more sophisticated about how they try to infiltrate companies, Stratz said during a recent webcast. Cyber threats are becoming more opportunistic, evasive and easier to create. He says malware programs available to potential crooks grew 30% in 2013.
At the same time, tools to detect malware are getting better as well. But the rise in detected security threats exceeds growth in security containment staffing and capabilities.
“The bad news for IT security teams is that now there are even more alerts for them to check,” Stratz says. “There is still a lot of information that response teams need to evaluate and digest.”
The conundrum is this: in most cases, companies have automated “security information management systems” that red flag “anomalies” that might be potential intrusions or unauthorized transactions. Prominent providers of SIMS applications include HP ArcSight, FireEye and Palo Alto Networks.
But investigating alerts to see if they are real threats or false alarms remains a mostly manual process, subject to human error and inconsistencies. And though companies often try to customize SIMS applications to weed out false alarms, those efforts can fall short.
“We see some companies writing as many as 500 rules to filter out some of the noise, but there is still a lot of noise that they are dealing with today,” Stratz says.
One problem is that too many red flags are listed as “critical” for IT security teams to respond to, making it difficult for to focus containment efforts on the ones that pose the biggest financial or security risk, Stratz says. It also can lead to an increase in the time between when a critical threat is detected and when it is contained.
“If they’re all critical, then none of them are critical.”
Today, it’s really up to the individual responding to an alert to make a determination about the severity of the threat, he says. And those responders have different levels of experience and technology expertise, leading to subjective decisions about how serious a threat is.
NetCitadel aims to use analytics to help companies make threat priority more automated and analysis of threats more consistent. Too often at companies, Stratz says expertise is “tribal” or in silos across the company, and the response to an alert may be different or redundant depending upon who handles it. If a threat response requires an “over the wall hand off” between departments, there’s always the chance the response will be fumbled. In some cases, even when malware is detected, it may take days to add the IP address of a potential intruder to a block list, Stratz says.
In addition, many companies have only one IT executive who is intimately familiar with the company’s security software and what tweaks have been made to it. When that person leaves the staff, it can create confusion around threat detection and response.
So what are his tips for improving threat response?
Stratz says companies should be wary of customizing SIMS coding, especially if one employee is responsible for managing and maintaining the code. Any customization should pass the “lottery test,” meaning that if the key individuals managing the security and event management program win the big jackpot and leave unexpectedly, the company still has the intellectual capital to manage its security technology.
For IT threat containment staff to be effective, they should rely on consistent threat scoring, have an audit system to confirm that appropriate action has been taken, but still rely on human review, he says. While human input is critical, automating threat assessment can ensure that threat containment happens quickly and efficiently. Workflow and analytics around threat analysis can minimize duplicate efforts and allow a “level 1” security analyst to “punch above their weight” and act more like a “level 3” analyst, Stratz says.
“You are looking for tools that can help make your team smarter. You will not be able to hire your way out of this problem. You really cannot throw bodies at this problem and expect it to be solved.”
Ted Cornwell has covered the mortgage markets since 1990. He is a former editor of both Mortgage Servicing News and Mortgage Technology.