Alert Fatigue: The Next Step in Threat Detection
Alert fatigue has long been a major issue for security analysts tasked with manning the Security Operations Center (SOC). False positives account for a fifth of all alerts in the SOC, according to a recent report, and can seriously deplete resources, impacting the efficiency and morale of the security team.
Detection Failures
At the same time, we’re seeing threats that don’t trigger alerts. Modern attacks can propagate through organizations by using the features of operating systems. Living off the Land Binaries and Scripts (LOLBAS), which don’t introduce any code into the system and can pivot within the network without the need to use any tools, are notoriously difficult to detect.
New Approach to Detection
To address these issues, we need to take a new approach to detection in the SOC that takes the pressure off the analyst and looks at alerts not consecutively but as part of a wider pattern of events. The human brain would struggle to do that, but AI now allows us to address this type of problem by taking a whole new approach to the problem.
AI, but not as you know it
Make no mistake, we are not talking about the application of AI in the usual sense when it comes to threat detection. Up until now, AI has seen Large Language Models (LLMs) used to do little more than summarize findings for reporting purposes in incident response. Instead, we are referring to the application of AI in its truer and broader sense, i.e. via machine learning, agents, graphs, hypergraphs, and other approaches – and these promise to make detection both more precise and intelligible.
Augmenting the Analyst
The end result is that the security analyst is no longer perpetually caught in firefighting mode. Rather than having to respond to hundreds of alerts a day, the analyst can use the hypergraphs and AI to detect and string together long chains of alerts that share commonalities and in so doing gain a complete picture of the threat. Realistically, it’s expected that adopting such an approach should see alert volumes decline by up to 90%.
Conclusion
By applying machine learning to the chains of events, it will be possible to prioritize response, identifying which threats require immediate triage. Generative AI can then offer the analyst a number of courses of action to remediate the threat, ensuring incident response is consistent and proportionate.
Frequently Asked Questions
- What is the primary issue with current threat detection methods?
- Alert fatigue, with false positives accounting for a fifth of all alerts in the SOC.
- What is the solution to this issue?
- A new approach to detection in the SOC that takes the pressure off the analyst and looks at alerts not consecutively but as part of a wider pattern of events.
- What role does AI play in this solution?
- AI is used to detect and string together long chains of alerts that share commonalities, allowing the analyst to gain a complete picture of the threat.
Read More
- How to Build a Security Operations Center (on a Budget) – Get All 5 Chapters of AlienVault’s How to Build a Security Operations Center (On a Budget) in 1 eBook!
