Too Many Security Alerts? AI-driven Automation Can Ease the Burden and Keep Data Safer

The tool screens out noncritical events while highlighting more potentially consequential events. For its endpoint detection and response, Kyriba also utilized VMware Carbon Black EDR, which continuously records and stores endpoint activity data so security professionals can hunt threats in real time.

“One of the prime reasons we did this is that analysts have alert fatigue,” Bailey says. “They’re doing all this important work, and they’re concerned they’re going to miss something. The AI technology offers added support to manage large amounts of data and helps minimize alert fatigue.”

Amita Potnis, research director for the future of trust at IDC, says that alert fatigue is a persistent problem for organizations, especially small businesses that lack a deep bench of security analysts to respond. “Cybersecurity professionals are inundated with logs,” Potnis says. “Threats come into the IT environment in many different ways: It’s your endpoints, it’s the network, it’s the applications. It is difficult to find the anomalies because of the sheer amount of data coming in.”

When it comes to security, businesses are battling on two fronts. The dearth of cybersecurity professionals in the workforce — 359,000 jobs in the discipline are unfilled in the U.S. alone, according to a 2020 survey by security nonprofit (ISC) — means teams are chronically understaffed. At the same, those teams are also under-resourced, Potnis says: “We’ve consistently seen that organizations not only struggle to ensure they have good cybersecurity talent but also that there are enough tools to enable their security professionals.”

Security Alerts Are Just What’s Needed

The new tech tools have made an enormous difference for Kyriba’s security team, helping it move from a posture of trying to sort through all the organization’s alerts to one of concentrating on “qualified alerts,” Bailey says.

“Attackers want to do account takeovers, get administrative privileges and exfiltrate data for as long as they can,” he says. “So, this is something we have to be good at every day. In our data logs, we have about 100 to 150 million events per day. Then, with these tools, we’re getting about five to 10 qualified alerts per day. There are things we’ve caught that we would not have otherwise acted on quickly enough. The automation has paid for itself.”

Howard, an accounting firm based in Dallas, faced a similar set of problems: sensitive client information to protect, a small IT team and an overwhelming number of security alerts coming into the organization.

“I don’t even know how many alerts we had per day, I’ll put it that way,” says Chris Barnes, CTO at Howard. “The next thing you know, you’re not even looking at the alerts anymore, and that’s a problem. All the security software in the world is useless if you’re not paying attention.”

“We reached the point of, ‘What’s a legitimate concern versus noise?’” Barnes adds. “We didn’t have enough resources in-house to answer that question.”

To combat the problem, Howard adopted tools and services from Arctic Wolf, including the vendor’s managed detection and response solution and SOC as a Service offering, which refers to the security operations centers that are usually the province of large enterprises. The MDR solution provides around-the-clock monitoring of network, endpoints and cloud environments, while SOC as a Service gives organizations access to a “concierge” security services team.

“Before, the idea was that you turn on everything so you can catch everything, and then you get everything,” Barnes says. “Now, the services and tools deal with everything and then give us what we need.”

MORE SECURITY: Everything you need to know about the cloud security landscape.

As a result of the tools and services, Barnes says, he and his team receive only a couple of alerts per month. Because they have already been vetted, these alerts tend to be about specific, actionable concerns, such as an employee’s email address showing up on the dark web or someone connecting to the company’s cloud resources from outside of the country.

“The alerts happen so infrequently that we’re able to take them more seriously now,” Barnes says.

Alerts Allow For Rapid Containment of Breaches

Duck Creek Technologies, a Boston-based provider of insurance industry software, turned to Microsoft Azure Sentinel to automate its threat response. “We were growing, and we needed to grow the technology supporting us as well,” says John Germain, the company’s CISO. “The solutions we had weren’t scaling very well, and there weren’t a lot of opportunities for us to optimize and leverage automation around the alerts we were seeing to get rid of a lot of the noise.”

“The other thing is cost,” Germain adds. “It’s tremendously expensive to capture all this data. We needed something that could not only scale up but also help control those costs. Having that relationship with Microsoft helped.”

Because it is a Software as a Service provider, the bulk of the data that Duck Creek manages belongs to its customers. “Of course, we have our own corporate data, but a lot of what we’re focused on is protecting the services and data we’re storing for our customers in Azure,” Germain says. “Any attacks on that environment could create significant challenges for our customers.”

Germain says that it is “humanly impossible” for many organizations to thoroughly sift through their voluminous logs. He notes that Microsoft Azure Sentinel integrates with the company’s threat intelligence tools to suss out potentially harmful events.

“It basically feeds our security information and event management tool with all the really bad stuff that’s happening in the world right now. Then, it looks through your logs and searches for any matches,” Germain says. “If there’s an IP address that we know is bad, we can block that address with our firewall, and that can happen in minutes. You can contain an incident a lot quicker. That’s what we’re trying to get at.”