The cybersecurity industry has always loved alerts. At least it used to. Granted, an alert often means that something is wrong. But, in many ways, an alert has often been seen as an accomplishment in itself — after all, an alert means suspicious activity did not pass undetected.
Things have changed a lot in the last five years. Security orchestration, automation and response (SOAR) tools are mainstream, and large enterprises seek contextual intelligence and triaging tools to help them prioritize alerts. This evolution was bound to happen. With so much noise to sift through, it quickly became impossible to identify which alerts were worthy of attention and which could be safely disregarded as false alarms. The resulting alert fatigue led to a shift in thinking away from volume-based alerting and toward more effective remediation. Simply put, in today’s threat environment, alerts aren’t enough. Users don’t just need to know that something worrisome is happening — they need real, actionable advice on how to address it.
Identity’s place in the modern threat landscape
Today’s security teams are working with a wide range of detection and remediation tools, each playing an important role in keeping enterprises secure. Some are focused on perimeter security, others on internal network flows. Some are geared toward remote access, others toward cloud services and applications.
Unfortunately, identity security solutions have stalled in their evolution. A detective security technology typically follows a common path: configuration, data collection, alerts and remediation (then loop back to tweak the configuration and do it again). But identity security solutions have become bogged down in the data collection stage. Today’s identity tools gather vast amounts of data (role configuration, usage patterns, lifecycle events, etc.), but haven’t gotten much further than issuing (far too many) alerts.
Businesses using a solution geared toward identity anomaly detection will almost certainly receive an alert when an identity is compromised — but it will be buried under hundreds or even thousands of other alerts triggered by other, broader criteria. Even under the best of circumstances, investigating and responding to each of those alerts would be difficult. In today’s environment, amid an ongoing skills shortage and cybersecurity hiring crunch, many organizations barely have the resources to respond to the alerts that do require immediate attention.
Moving from alerts to remediation
Identity management strategies need to do more than collect data and issue alerts — they need to provide actionable guidance that can help solve the problem, rather than simply inform on it. This is where machine learning (ML) can play a role — not just to generate alerts (ML-generated alerts can still be noisy), but to automate access requests, role modeling, access certifications, and other low-risk functions according to predetermined criteria.
Today’s security teams don’t always know the next step they should take after receiving an alert, but some cybersecurity systems can flag activity outside of an identity’s normal behavior patterns and provide a recommended action for the analyst assigned to review it. That means the analyst receives context, including how that behavior deviates from policy guidelines, permission settings or normal usage patterns, allowing them to understand not just why the behavior is suspicious, but what can be done to address it. Sometimes, there is good reason for unusual behavior. Other times, early detection can stop a network incursion before it escalates into an emergency.
Alerts are no longer enough
Alerts can be helpful. They let defenders know that something might be amiss. But mountains of alerts aren’t enough to get the job done. Security professionals don’t just need to know something is wrong — they need to know what comes next. ML-driven technology can provide those action steps, alongside automation tools capable of quickly and effectively remediating low-level threats and providing the critical context needed to address more serious ones. This can aid cyber defenders when it comes to not just detecting attacks — but actually stopping them.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users brought to you by Security magazine. Subscribe here.