A State of Security Event Overload

As many as 150,000 security events are logged each day in some enterprises, new data shows.

Dark Reading Staff, Dark Reading

May 16, 2014

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Target isn't the only enterprise getting inundated with security events:  The average enterprise receives more than 10,000 events a day that may or may not be malware-related, and for some of the biggest enterprises, that number jumps to more than 150,000 per day, according to new data from Damballa Labs.

It could happen to anyone, but Target has become a poster child for how easy it is to dismiss the wrong event as a false positive among the heavy volume generated by today's security tools. Target's security team evaluated the "activity" that was flagged and concluded it was not relevant for action. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different," a Target spokeswoman said in the aftermath.

Damballa Labs' new data on network events, logged in the first quarter of this year, demonstrates how easy it would be for information overload to complicate the ability to respond to real threats among the benign events.

"There are lots of events each day, and [organizations] can't check on each one" individually, says Brian Foster, CTO at Damballa. "There are not enough smart people to go around. The industry needs to make humans smarter and more efficient, and then they can deal with more events... It eventually leads to automatable defenses."

Foster says the risk of missing a real event among a bunch of false positives is such that some organizations are taking a more holistic approach that looks at risk, prevention and detection, and response. "How many active infections are those alerts resulting in?" he asks, and how much data is going out the door as the attackers steal it?

"Security teams must be able to automate infection 'hunting' and prioritize their response. Otherwise they will find the wolf is already inside their network," Damballa's new Q1 2014 State of Infections Report says.

The full report is available here for download.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights