by Another ramble about the Target issue. A recent article says that there were "thousands" of alerts from a new security product (identified as Fireeye, but claimed to be developed by the CIA, which the commercial product supposedly is not) that was deployed a few months prior to the breach. Each of these alerts was supposedly issued at the highest possible priority for "suspicious" files that were not known to be malicious but were suspected to be so.
What is not reported that I can find for certain, though I thought I saw it, was how many total alerts were issued, especially at the highest criticality level. Just because a tool is issuing alerts, doesn't make the tool useful. Humans are good at exceptions, not at dealing with large amounts of the same old, same old for a long time. It is clear from the timing, that the configuration of the security product clearly was not completed. It is also clear that this was a rather sophisticated and targeted attack.
But the real lesson to take from the incident is that not everything can be ultra-high priority. Important things can start as medium priority. That's okay, and in fact, necessary. It allows people to triage and recognize the difference between "this could be important but we can't say for certain yet" and "you may want to be aware of this, but it probably isn't important." Tools that label every alert as high priority are not doing a good job. Calling every vulnerability a "perfect 10" on the CVSSv2 scale just causes people to not pay attention to how you are manipulating the ratings on the scale.
We have a full range of priorities for a reason. Let's resume using them.