Olivier Le Moal - stock.adobe.co
How to address and prevent security alert fatigue
An influx of false positive security alerts can lead infosec pros to overlook real threats. Learn how to avoid security alert fatigue and avoid its potential consequences.
Most organizations have a variety of defensive cybersecurity measures in place, including firewalls, intrusion detection and intrusion prevention systems, antivirus and other endpoint security tools that record, analyze and report on thousands of events every hour. While essential to detect and prevent threats, these products result in a nonstop flood of alerts that security teams must prioritize and investigate to discern whether the threats are serious.
Each alert requires a significant amount of qualified human resources that, for most security teams, are in short supply. This leaves those tasked with the job overloaded and enables true attack alerts to get lost in the noise of false positives.
The problem with security alert fatigue
Nearly half of respondents to a Critical Start survey reported that 50% of alerts or higher are false positives. To address this alert fatigue, 57% of respondents said they tune specific alerting features or thresholds to reduce the alert volume, while another 39% simply ignore certain alert categories.
These two approaches can produce disastrous consequences. One notable example of what happens when alerts are ignored is the Target data breach of 2013, where 40 million card records were stolen. Despite numerous alerts warning of the unfolding attack, Target did not react in time because similar alerts were commonplace and the security team incorrectly classified them as false positives.
As organizations' data and IT infrastructures spread out across the cloud, the number of alerts is only going to increase and exacerbate the situation. It's a difficult problem for CISOs. It would be nice to hire more help to analyze all the alerts, but this is not an option for most. The only plausible option is to reduce the number of alerts their teams are required to inspect.
How to address and prevent security alert fatigue
Security products that trigger thousands of alerts daily that are never investigated or are casually dismissed as false positives add no value to security operations. This scenario only creates opportunities to miss important alerts because staff doesn't have enough time to review them.
Reducing the number of alerts lowers the chance of false positives and improves alert accuracy: Any alerts that are generated will contain actionable insight to help the security team investigate them, including details on the chain of events that lead to an alert. It is exceedingly difficult to create rules that narrow down anomalous events and threats to a manageable number of alerts, however, especially in security systems that cover all user activities.
Fortunately, companies can take a few steps to counter the deluge of alerts. The use of machine learning and AI have long been touted as the future of detecting patterns of behavior that deviate from the norm, even in subtle ways. Until recently, however, these technologies have struggled to stem the tide of alerts. Products available today automate many tasks that were previously completed manually, elevating only those actionable alerts to humans. AI can also learn false alert patterns to help admins better tune their products in the future.
New cloud-based approaches are also available to help offset alert overload that concentrate on producing fewer -- but more significant -- alerts based on their context.
Managed services can also be instrumental in preventing alert fatigue and providing greater context to alerts. Critical Start, FireEye and Palo Alto Networks offer services that prioritize and present a contextualized alert. These alerts include details such as the root cause, the entire attack chain, the entities involved and a damage assessment that includes easy-to-digest graphics. With information about a potential problem presented in this format, security analysts can properly analyze and correctly respond to alerts.
Of course, security teams aren't the only ones that must deal with daily security alerts. On an average day, employees at all levels are likely to receive some sort of alert to avoid opening a suspicious email attachment, to not click on a potentially malicious website or to not share their passwords. Perimeter defenses should prevent most malicious inbound traffic from reaching end users, but employees must be aware of the threat so they don't fall victim to threats that manage to bypass security mechanisms. Security awareness programs educate users on how to evaluate and utilize the information received in the email or text notifications they regularly receive and avoid malicious threats.
Security alert fatigue is so challenging because technology cannot eliminate human error entirely. But eliminating useless alerts and making the necessary ones more meaningful can prevent security teams from being overwhelmed with alerts that ultimately are overlooked or ignored altogether.