SecOps teams are being inundated with alerts. The resulting alert fatigue is adversely affecting their ability to do their jobs. In fact, IDC estimates that SecOps teams at companies with 5000+ employees wind up ignoring about 23% of their alerts. At companies with 1500-4999 employees, that figure is closer to 30%.1
That’s why I sat down with three leading cybersecurity experts for a Q&A session all about alert fatigue, its causes, and why it is so critical to keep it at bay. My subjects for this deep-dive were none other than Top 50 Global Cybersecurity Influencer and former Defense Intelligence Agency Cyber Deputy Division Chief Tyler Cohen Wood, and Berkeley Varitronics President and CEO Scott Schober. Read on as we discuss how to reduce alert fatigue.
Q1: Does alert fatigue pose a threat to cybersecurity? If so, how serious?
A1 (Cohen Wood): Alert fatigue is a very serious problem that must be addressed. Without the right tools to properly consolidate alerts, classify them, and prevent false positives, alert fatigue can cause SecOps teams to miss critical alerts, waste time on too many false positives, or frankly, just hope that someone else will respond to an alert.
If we don’t take action to address alert fatigue, it’s just going to get worse. For one thing, we keep increasing the size of the attack surface by continually adding devices—especially IoT—to our digital ecosystems. For another, attacks keep escalating. So alert volume just keeps growing.
Q2: Alert fatigue isn’t just a logistical issue, though, is it?
A2 (Schober): No, it’s a psychological issue, too. And that aspect of alert fatigue is not trivial. Given how difficult it is to find, recruit, and retain cybersecurity talent, SecOps staff burnout isn’t something any organization can afford. Yet that’s exactly what happens when you allow your SecOps staff to become overwhelmed and start feeling like they are fighting an unwinnable battle without adequate resources. It’s this combination of overloading your team with more alerts than they can logistically handle and the psychological impact of that overload that makes alert fatigue so dangerous.
Q3: Are there best practices for overcoming alert fatigue?
A3 (Cohen Wood): Absolutely. There are many tools available for better classifying and de-duplicating your alerts—as well more aggressively reducing false positives. You also want to look for cybersecurity solutions that leverage AI/ML technology in conjunction with human intelligence to help you reduce false positives and guide your team to work on the most critical problems first.
There are lots of other things you can do to reduce SOC stress, too. For example, you should ensure that your SOC has a complete, accurate, and up-to-date inventory of your ecosystem. Proper implementation of a Zero Trust environment also helps mitigate alert fatigue by keeping the threat surface more manageable.
Q4: Don’t we have to be careful about over-suppressing and/or under-reacting to alerts, too?
A4 (Schober): Of course. If you miss an important alert, you can give a cybercriminal just enough window of opportunity to gain a foothold in your environment, allowing them to discreetly exfiltrate sensitive data and IP before you detect them. This is why you need to complement any effort to mitigate alert fatigue with the most advanced threat hunting possible. A big part of the XDR value proposition is based on this growing need to optimally leverage telemetry from everywhere—endpoints, the network, multiple clouds, etc.—to quickly zero in on active threats even as cybercriminals do everything in their power to mask their activity.
I enjoyed my discussions with the experts and their thoughts on how we as a community can help our cybersecurity professionals avoid alert fatigue. If you are looking to learn more, I recommend checking out our whitepaper titled “Reduce Cyber Alert Fatigue in your IT Environment”.
1Source: In Cybersecurity Every Alert Matters – an IDC White Paper