IT Support and Network Admin at Escuela Carlos Pereyra
User
Top 5
2022-01-25T14:18:21Z
Jan 25, 2022
I think first of all you need to establish what resources you want to handle in your operation and then how important is each. Once you get it a try based on a "Venn diagram" or an "Eisenhower chart" to apply the resolution tools fatigue is coming from not knowing what tool should use or if the resource with an incident is in danger or not.
Only then you can configure some rules, the information coming from there is gonna give the necessary details for making more decisions.
Maybe, I'm very subjective but there is a very large group of solutions and strategies. Not always it's gonna be the same scenario.
So what you need is a criterion, professional skills, and then... being patient and embracing yourself
Good luck!
Search for a product comparison in Network Monitoring Software
I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.
But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence.
Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.
It depends on the information in your current alerts. E.g if the alert has the priority or the severity field, it will be normal to use this field.
I will assume tha in your current alert system you do not have the severity or priority field.
The next option would be to look at the alert code. Most alarms have a number or a code, indicating the alarm, and it is the reference to documentation - what this alarm means and how to resolve it.
I would then recommend to use this code. Get a list of alarm codes, discuss and determine the severity for this code. Once you have this, you should be able to use this list to match alarms and set the automatic severity, timelines, etc.
2. Number #1 plus an internal business sense for each asset (other tools, CMDB attribute, SID - Security ID and/or classification tags (baseline, stringent, internet-facing, workstation...).
3. A combination of both, for example, and an extra risk-machine indicator, vulnerability exposure, correlation together with other critical processes.
4. Using a reference framework (NIST) or a mandate from regulators (SEC, ENISA, PCI, HIPAA, ...).
For alert fatigue, you'll need to optimize step-by-step (manual or using automatic/AI features) controls, tunning false-positive and filtering inconsistencies based on PDCA/baby-steps/Continuous Improvement models.
IT Security Coordinator at a healthcare company with 10,001+ employees
Real User
Top 5
2022-01-24T14:08:16Z
Jan 24, 2022
I think the first step is configuration.
When teams are 1st deploying a new tool, working closely with the vendor to set up the best configuration possible to tune down the alerting for the least false positives, is critical to the success of your soc.
Even paying the extra for a 3rd party tool configuration assessment can be the difference in millions of alerts from vendor recommended alerting.
Then there is a phase of "tuning" where you are in the monitor mode to see what the worst and best alerting is and you go from 80% to 90% false positives. That last 10% is hardest with each tool and causes the most work and the most pain, but if successful you have less critical alerting firing off each device.
Feeding this to the SIEM is where you get the biggest bang for your buck when doing correlation of events, setting proper alerting triggers even for critical alerts can help you prioritize even those.
If you are looking for 10 alerts in the SEIM out of 6 million, you have to prioritize what sets those 10 above the rest so they stick out the most, critical assets, hashtags, threat feeds, UEBA, etc. - all of the things mentioned above are critical to that endeavor.
There are various approaches that organizations can take to help ensure that alert severity is properly assessed and to mitigate the impact of alert fatigue.
- One approach is to use a standardized system for evaluating and assigning severity levels to alerts. For example, organizations may use a scale such as the one defined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which assigns severity levels based on the potential impact and likelihood of an incident.
Another approach is to use automated tools or algorithms to help determine the severity of alerts. These tools can analyze the data and context associated with an alert and associated with threat intelligence to help determine its likelihood and impact, which can help reduce subjectivity and improve the accuracy of the severity assessment.
To fight alert fatigue, organizations can adopt a number of strategies, such as:
Prioritizing alerts: By prioritizing alerts based on their severity and likelihood of impact, organizations can focus their attention on the most critical incidents and reduce the number of lower-priority alerts that need to be reviewed.
Implementing automated triage and response: Automated tools can help analyze and respond to lower-priority alerts, freeing up time and resources for security analysts to focus on more critical incidents.
Providing ongoing training and support for security analysts: Ensuring that security analysts have the necessary knowledge and skills to effectively evaluate and respond to alerts can help reduce the burden of alert fatigue.
Implementing a robust incident response process: A well-defined and standardized incident response process can help ensure that incidents are handled in an efficient and consistent manner, reducing the need for analysts to constantly reevaluate and respond to alerts.
Correlating alerts to stories rather than the alert itself. Evaluate based on stories rather than individual alerts.
Leverage AI to identify normal things in your alerts.
Network Monitoring Software is important for companies because:
-It helps ensure the smooth functioning of the company's network infrastructure.
-It allows companies to proactively identify and resolve network issues before they impact business operations.
-It helps in optimizing network performance and improving overall efficiency.
-It provides real-time visibility into network traffic, allowing companies to monitor and analyze network usage patterns.
-It helps detect and prevent security breaches and unauthorized access to the network.
-It enables companies to track and manage network devices, such as routers, switches, and servers.
-It assists in capacity planning by monitoring network bandwidth and identifying potential bottlenecks.
-It helps comply with industry regulations and maintain data privacy and security.
-It provides valuable insights and analytics for making informed decisions regarding network upgrades and investments.
-It helps reduce network downtime and minimizes the impact of network outages on business operations.
Let me describe with Example: E-commerce Website
A network monitoring software is crucial for an e-commerce company:
1. Detecting Issues: It alerts IT about slow website response or errors, so they fix them before customers notice.
2. Optimizing Performance: By tracking popular products and traffic patterns, the company ensures smooth browsing even during high demand.
3. Enhancing Security: Unusual traffic patterns trigger alerts, helping stop unauthorized access attempts and safeguard customer data.
4. Planning for Growth: Monitoring predicts resource needs as the company expands, ensuring smooth scaling.
5. Allocating Resources: It identifies resource-hungry sections, enabling balanced resource distribution for consistent performance.
6. Troubleshooting: Detailed logs aid in identifying and fixing downtime causes quickly.
7. Meeting SLAs: Historical data ensures the company fulfills uptime and performance promises in customer agreements.
In all, the software maintains a secure, high-performing, and reliable online shopping experience, fostering customer trust and business growth.
Hi community,
When evaluating Network Monitoring Software solutions, what aspect do you think is the most important to look for?
Share your thoughts with the rest of the community.
The most important aspects to look for when evaluating Network Monitoring Software solutions are:
-Comprehensive monitoring capabilities: The software should provide a wide range of monitoring features to track network performance, including real-time monitoring, bandwidth usage, device health, application performance, and security monitoring.
-Scalability: The solution should be able to handle the size and complexity of your network, whether it is a small office or a large enterprise network.
-Ease of use: The software should have a user-friendly interface and intuitive navigation, allowing network administrators to configure and manage the monitoring system easily.
-Alerting and notification system: The software should have robust alerting capabilities to notify administrators of network issues or anomalies via email, SMS, or other communication channels.
-Customization and flexibility: The solution should offer customization options to tailor the monitoring system to your specific network requirements and allow integration with other tools or systems.
-Reporting and analytics: The software should provide detailed reports and analytics on network performance, allowing administrators to identify trends, troubleshoot issues, and make informed decisions.
-Compatibility and integration: The solution should be compatible with a wide range of network devices, protocols, and operating systems and offer integration with other IT management tools.
-Security features: The software should have built-in security measures to protect sensitive network data and provide features like user authentication, access controls, and encryption.
-Vendor support and community: It is essential to consider the reputation and support provided by the software vendor, including documentation, training resources, and an active user community for troubleshooting and knowledge sharing.
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
...
Modern-day servers are robust enough to accommodate as many applications and processes as possible. Still, there is a limit to how much load a server can handle.
If your business does not heed the server constraints in time, you are bound to suffer from operational loss due to server downtimes. To closely monitor your server health, you must track specific metrics regularly.
Here are some s...
Collecting as many metrics, statuses, and logs about the servers is indeed the first step, you never know what data you will need to solve a particular problem. The second step is to process and correctly pinpoint where the network performance/behavior differs from the expected range/baseline.
Can your network monitoring software automate the obvious (execute remote corrective actions in response to alerts) and notify the IT person about only critical situations where the human needs to make a decision about the resolution options? We expect the network monitoring software today to do just that.
I would say NetCrunch can do it, but do you have any experience with other monitoring products that provide a similar type of monitoring experience for IT teams?
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why.
You can read user reviews for the Top 8 Network Monitoring Software Tools ...
I think first of all you need to establish what resources you want to handle in your operation and then how important is each. Once you get it a try based on a "Venn diagram" or an "Eisenhower chart" to apply the resolution tools fatigue is coming from not knowing what tool should use or if the resource with an incident is in danger or not.
Only then you can configure some rules, the information coming from there is gonna give the necessary details for making more decisions.
Maybe, I'm very subjective but there is a very large group of solutions and strategies. Not always it's gonna be the same scenario.
So what you need is a criterion, professional skills, and then... being patient and embracing yourself
Good luck!
Hi @Evgeny Belenky,
I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.
But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence.
Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.
@Robert Cheruiyot thank you for such an in-detail answer!
It depends on the information in your current alerts. E.g if the alert has the priority or the severity field, it will be normal to use this field.
I will assume tha in your current alert system you do not have the severity or priority field.
The next option would be to look at the alert code. Most alarms have a number or a code, indicating the alarm, and it is the reference to documentation - what this alarm means and how to resolve it.
I would then recommend to use this code. Get a list of alarm codes, discuss and determine the severity for this code. Once you have this, you should be able to use this list to match alarms and set the automatic severity, timelines, etc.
1. Original thresholds from your tool.
2. Number #1 plus an internal business sense for each asset (other tools, CMDB attribute, SID - Security ID and/or classification tags (baseline, stringent, internet-facing, workstation...).
3. A combination of both, for example, and an extra risk-machine indicator, vulnerability exposure, correlation together with other critical processes.
4. Using a reference framework (NIST) or a mandate from regulators (SEC, ENISA, PCI, HIPAA, ...).
For alert fatigue, you'll need to optimize step-by-step (manual or using automatic/AI features) controls, tunning false-positive and filtering inconsistencies based on PDCA/baby-steps/Continuous Improvement models.
I think the first step is configuration.
When teams are 1st deploying a new tool, working closely with the vendor to set up the best configuration possible to tune down the alerting for the least false positives, is critical to the success of your soc.
Even paying the extra for a 3rd party tool configuration assessment can be the difference in millions of alerts from vendor recommended alerting.
Then there is a phase of "tuning" where you are in the monitor mode to see what the worst and best alerting is and you go from 80% to 90% false positives. That last 10% is hardest with each tool and causes the most work and the most pain, but if successful you have less critical alerting firing off each device.
Feeding this to the SIEM is where you get the biggest bang for your buck when doing correlation of events, setting proper alerting triggers even for critical alerts can help you prioritize even those.
If you are looking for 10 alerts in the SEIM out of 6 million, you have to prioritize what sets those 10 above the rest so they stick out the most, critical assets, hashtags, threat feeds, UEBA, etc. - all of the things mentioned above are critical to that endeavor.
Hi @Evgeny Belenky,
Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC.
1. Threat intelligence
2. Native integration
3. Machine learning
4. Watchlists
5. UEBA (User and Entity Behavior Analytics)
6. Automation
There are various approaches that organizations can take to help ensure that alert severity is properly assessed and to mitigate the impact of alert fatigue.
- One approach is to use a standardized system for evaluating and assigning severity levels to alerts. For example, organizations may use a scale such as the one defined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which assigns severity levels based on the potential impact and likelihood of an incident.
Another approach is to use automated tools or algorithms to help determine the severity of alerts. These tools can analyze the data and context associated with an alert and associated with threat intelligence to help determine its likelihood and impact, which can help reduce subjectivity and improve the accuracy of the severity assessment.
To fight alert fatigue, organizations can adopt a number of strategies, such as: