Alert Fatigue and Bad Signatures Leads to Missed Attacks

August 11, 2020
Marcus Hartwig
Director, Product Marketing
Alert Fatigue and Bad Signatures Leads to Missed Attacks

Intrusion Detection and Prevention Systems (IDPS) are designed to detect threats based on rules and signatures. This is a tried and tested solution often seen in antivirus software and next-generation firewalls. In theory, this is a great way to detect a known attack using the appropriate signature it presents. However, reality often trumps theory; attackers are smart, and networks are noisy, so it turns out that no two attacks are going to be completely the same.

To counter this, the vendors who create signatures have to be a bit relaxed when weeding out what they are looking for. It seems like a good fix, small variations in an attack that previously went undetected now get detected again. The problem is that you’re now starting to get a bunch of false-positive detections. It’s not uncommon for a modern security operation center (SOC) leveraging signature-based detections to get ten of thousands of alerts, sometimes even more in just 24 hours, making their solution pointless.

79% of security teams stated they "were overwhelmed by the volume."
-     Enterprise Management Associates Info Brief

To counter this, SOC analysts are typically forced to configure the IDPS systems to only monitor traffic going to high-value assets, such as databases and production servers. It’s also common to be very selective in which signature rules are enabled in their IDPS, often removing older and noisier rules, and tuning alert thresholds to reduce alert volume. Unfortunately, turning off security monitoring means that you are pretty much guaranteed to miss an attack.

A successful and more modern approach is to move away from your legacy IDPS and replace it with a network detection and response (NDR) solution. NDR offers threat intel combined with rich contextual data such as host user behaviors on the network, user and device privilege, and knowledge of malicious behaviors. All powered by machine learning rules developed by security research and data science that identify attacks that are real threats, while eliminating the  noise. Ultimately giving you the peace of mind that you are detecting and stopping both known and completely unknown attacks for your entire deployment.

Cut out the noise of IDPS to start detecting and stopping threats again with NDR. Free up your analysts to actually focus on their real work instead of tweaking signatures. The Cognito Platform from Vectra is in 100% service of detecting and responding to attacks inside cloud, data center, IoT, and enterprise. Our job is to find those attacks early and with certainty.

It starts with having the data to make this happen. This is not about the volume of data. It is about the thoughtful collection of data from a variety of relevant sources and enriching it with security insights and context to solve customer use-cases.

Attack behaviors vary, so we continuously create unique algorithmic models for the widest range of new and current threat scenarios. Performing well beyond the abilities of humans, Vectra gives you a distinct advantage over adversaries by detecting, clustering, prioritizing and anticipating attacks.

By doing the thinking and reducing the security operations workload, you will spend more time on threat hunting and incident investigations. If you’re ready to change your approach to monitoring and protecting your environment, get in touch with us to see a demo.