Information overload: Finding signals in the noise

Steve Ragan

Was it a mistake? It's easy to call it one now, but at the time, the InfoSec team at Target were just conducting their daily routine. They checked the alert, determined it wasn't a high priority, and moved on to other things.

This happens daily at organizations across the globe, but the difference is that in hindsight, the public knows what happened to Target due to this oversight, so it's easy to single them out.

"So [in] some of these very high profile breaches, the product was able to identify that the breach was occurring, but the people's intelligence wasn't able to respond because they got so many alerts. They got so much information that it was difficult," commented FireEye's Dave DeWalt.

DeWalt is correct in that information overload is a burden for IT / InfoSec teams, but threat intelligence is a problem too. Most of the threat intelligence feeds available on the market aren't intelligence at all; they're aggregated reports on malware and spam, rogue IP addresses, and vulnerabilities that can't be tied to a given environment.

They're a general overview of the threat landscape, and a good source of data to have, but they can't protect an individual business on their own. But that's what they're promoted to do, which isn't realistic.

Data (intelligence) for as far as the log can read

The problem isn't data. Organizations have tons of data, but the signal-to-noise ratio is too low. So valid data, or threat intelligence, is missed; dismissed as a noisy appliance or overly sensitive alert.

It's a problem when information exists without the means to process it in a way that's meaningful to the organization. The little links between incidents, which on the surface look like random, meaningless threats, are often what cause the largest problems.

So what's an example of an alert that might be serious, but ignored because it happens so frequently?

"The detection of an opportunistic Trojan, which happens to include a keylogger (e.g., the Zeus Trojan), occurs at a high frequency and may be considered to have low business risk to an organization (AKA - a noisy detection) because the presumed motivation of the attacker is to steal a user's credentials to personal accounts (e.g., shopping, personal banking)," explained Oliver Tavakoli, the CTO of Vectra Networks.

"However, the same host may be used to login to IT systems or customer-owned systems, as in the case of an employee at Fazio Mechanical logging into a outside vendor support website at Target, thus resulting in the compromise of business-critical account credentials."

Likewise, Tavakoli added, the detection of spamming malware is also a frequent occurrence, but it is treated more as a nuisance.

Previous Page  1  2  3  4  5  Next Page