Monitoring security events is an essential but challenging task. Enterprises run large numbers of applications on a variety of platforms. Some applications are monolithic and run on isolated machines such as mainframes. Others are highly distributed systems that rely on a complex web of services invoking each other in difficult to anticipate patterns. These applications generate substantial amounts of log data that are often difficult to integrate. For example, a relatively benign event, like an administrator login on an application server, may not warrant attention; however, if that event is quickly followed by calls to a data access APIs on a application outside that admin’s responsibility, then that should trigger an alarm. Balancing the need for comprehensive alerting and the obvious desire to minimize false positives (a.k.a. false alarms) is difficult.
Remember hearing the stories of “The Little Boy Who Cried Wolf”? His calls for help created alarm among the townspeople until, ultimately, they got so used to false alarms they started ignoring his cries for attention. Now imagine multiple boys crying “wolf” at the same time. Are some real? Some false? How much time would it take to investigate each of these cries and would the real wolf attack while you were trying to react to every alarm? The magnitude of these cries quickly become an unfathomable nightmare and inevitably just becomes white noise.
The scary part is that 783 breaches only represent what was reported. Undoubtedly many more incidents occurred but were never publically disclosed. Whether you count the disclosed or undisclosed number, it would be hard to argue the fact that cyber-attacks are growing in frequency and are getting increasingly more complex. Current security solutions are proving ineffective, and breaches continue to be a deadly threat to enterprises where valuable data can be compromised, often generating millions of dollars for the attackers.