Alert fatigue isn’t just tiring, it’s expensive. Organizations receive 17,000 malware alerts per week but only 19 percent are reliable. The cost of time wasted responding to inaccurate and erroneous intelligence can average $1.27 million annually but the fallout from excessive alerting is more insidious. Only 22% of reliable alerts are investigated because short-staffed security teams are overwhelmed by the volume of alerts generated by their existing security products and have become numb to these warnings because of significant false positives. As a result attacks are frequently overlooked, despite organizations often having the evidence.

SIEM is decades old legacy approach to security reporting found in most large organizations - and one of the most egregious offenders for excessive alerting. Basic rules can be written to correlate known indicators and then report on the results but SIEMs are not good at detecting unknown attacks, analyzing big data in real time or understanding network and user behaviors. Attacks are now more dynamic so it is impossible to always keep rules current which results in SIEMs warning on all suspicious actions, both the innocuous and the dangerous.

Core to this issue is SIEMs reliance on logs as a primary analysis source, which are aggregated from many products with correlation rules generating alerts. The information available in the resulting alerts is limited, which restricts the context that security teams need to be in a position to best respond to a security incident. Network traffic contains much richer information and the full fidelity and context provided in PCAP data can prove invaluable to the investigations of any security analyst and team. However, very few SIEMs use PCAP data and those that do only perform rudimentary analysis when rules are triggered. Yet, despite the limited visibility that SIEMs provide, they are still the go-to products for incident investigations.

The ProtectWise Grid takes a modern approach to security, using deterministic (e.g., signatures, rules) and probabilistic (e.g., machine learning) techniques to provide reliable detections and complete visibility, ensuring that security teams have actionable information to respond to threats with the additional benefit of having full forensic access to all analytics associated with a security event. It is delivered entirely from the cloud and offers long-term retention of full fidelity PCAP data, providing analysts with the packet level analytics to resolve even the most complex investigations. Packet data can be retained for a year or more, far longer than the dwell time for malicious attacks which is currently an average of 229 days according to Ponemon. This enables security teams to precisely understand the historical impact of any new zero-day exploits or security vulnerabilities. In addition, security teams can apply this knowledge to triage, investigate and remediate in process security events and dramatically reduce the dwell time of an attack. Lightweight software sensors, which profile and capture traffic, can be deployed across the multiple network segments that constitute the modern organization including traditional enterprise, cloud and industrial environments to deliver visibility everywhere.

Well documented APIs make it easy to integrate The ProtectWise Grid with the rest of an organization’s existing security ecosystem. This is important as it allows analysts to work in the products to which they’ve become accustomed (e.g., a SIEM) while benefiting from the actionable detections and full context possible with The ProtectWise Grid. In fact, that is exactly what Pandora is doing, integrating The ProtectWise Grid with their implementation of the Elastic Stack (formerly known as the ELK Stack).

Join us on on Wednesday, June 7 at 10 AM Pacific / 1 PM Eastern for our webinar “When a SIEM Alone is No Longer Sufficient” to hear from Pandora how they are benefiting from using The ProtectWise Grid and the Elastic Stack together. You’ll also learn more about The ProtectWise Grid, its ease of use and the rapid integrations that are available.

 

Next blog post