Last year, IBM released the results of a study showing a 23 percent rise in the average total cost of a corporate data breach. For the study participants, the average came to $3.79 million. It’s impossible to ignore the need for information security, monitoring and staffing to protect ourselves from such breaches.
Yet the ongoing costs of this vigilance is also sizable, especially in light of false positive alerts. The Ponemon Institute reports the average company spends $1.2 million in wasted staff time alone responding to false alerts every year.
How do you strike a balance between this costly, inefficient use of your staff and the risk of an actual breach?
Real threats vs. business as usual
Traditional network monitoring applications log hundreds and thousands of events everyday, even for a small company. Most events are innocent, just employees doing their jobs or customers accessing their information via a portal.
But these days, someone is always trying to gain illegal access. How can you tell whether that failed login was a customer who forgot their password or a hacker trying to gain access?
It can be hard to spot the difference, even with automatic monitoring. If you set the alert threshold too low, your security team will always be chasing ghosts down dead ends. But set it too high, and you might miss the one intruder that costs you the proverbial farm.
Swimming in a sea of red
If you’ve ever worked in a NOC (network operations center), you’ve heard of the “Sea of Red.” It refers to screen after screen of bright red alerts, often projected on huge NASA-like screens. And that’s what you expect to see if your network is under a directed active attack, such as a Denial of Service (DoS).
But there’s a problem: Real attacks generate so many network events that they overwhelm the operators. If the monitoring system is unable correlate and consolidate the thousands of alerts as having a single root cause, staff will go crazy trying to chase them all down.
On the other hand, there are a multitude of smaller events that could be attempts to circumvent access control – but aren’t. Internal and external users forget their passwords. Applications fail when embedded passwords are changed without warning. The list goes on.
Whether innocent or not, the resulting alerts have to be investigated. And that gets expensive.
Hiding a tree in the forest
Hackers get more creative all the time. While a distributed denial-of-service (DDoS) attack aims to overwhelm your service network, break-ins don’t often use such brute-force methods. They usually seek to quietly discover and exploit vulnerabilities in your network, whether in the infrastructure itself or in the policy administration.
Each probe generates one or more alerts. While these may not paint the NOC’s screens red, you still have to investigate the cause. Even if the intrusion attempt failed, there’s staff time wasted trying to make sure.
With more cunning attacks, hackers set off a brute-force assault simply to draw attention while they probe for vulnerability. Their hope is that the real threat gets lost among all the others and that your staff won’t find it until it’s too late.
Balancing the risks
Sadly, it only takes one successful intrusion to cause serious damage. How do you detect which alerts need to be tracked down and which ones do not without ballooning your IT budget?
All those events and alerts have to be analyzed and normalized before your team sees them. This requires continuous intrusion detection coupled with a threat intelligence engine that can:
- Self-adjust to changing network configurations
- Correlate and consolidate those thousands of events
- Identify the real threats (and cull the rest)
- Let you respond to actual threats, instead of false alarms
Intelligent intrusion detection can reduce the risks and costs associated with a major network breach. By identifying actual threats quickly, you can act to seal the breach with a smaller, yet more-focused security staff.
If all this sounds overwhelming, let us show you how Paranet’s team of security experts can help. We’ve monitored and protected more than 1,800 networks and prevented an estimated 1 billion attacks. It’s what we do and we’re darn good at it. Schedule a consultation to learn more.