Today, Financial institutions (not limited to) are being over run with security logging and alerting. Each new monitoring and alerting device adds more things to consider when evaluating threats on a daily basis. You would think this would help, and is a good thing? It is and isn’t at the same time.
We bury our faces in reports, sift log after log for the magic bullet, set up countless alerts on top of alerts, to chase countless rabbits (false positive) down holes. This in itself burdens budgets, jades security teams, and masks legitimate threats that can ultimately lead to breach.
How many stacks of reports, graphs, and pie charts do you look at today? How many lines of logs do you look till your eyes bleed? Personally I’ve chased enough rabbits down holes (false positives) to where I almost grew a tail.
To understand the enormity of the problem lets rewind the clock a year and see what it was in 2014: Damballa’s Report
The average North American enterprise fields around 10,000 alerts each day from its security systems, far more than their IT teams can possibly process, a Damballa analysis of Q1 2014 traffic has found.
You have to ask why? Why are we seeing this many alerts on a daily basis? The simple answer is we are not considering what we are allowing to and through the perimeter. We basically open up exposures into our firewalls and DMZ’s, then top it off with a army of monitoring devices to watch and understand the traffic…..