Surviving Security Alert Fatigue: 7 Tools and Techniques
It’s an all-too-common problem for today’s security teams: Alerts stream from a range of tools (sometimes misconfigured) and flood operations centers, forcing analysts to analyze and prioritize which ones deserve attention. Suffice to say, major problems arise when critical alerts slip through the cracks and lead to a security incident.
“One of the biggest drivers of alert fatigue is the fact that people are unsure or unconfident about the configuration that they have or the assets they have,” says Dr. Richard Gold, head of security engineering at Digital Shadows. “What happens is you end up with a lot of alerts because people don’t understand the nature of the problem, and they don’t have time to.”
Dr. Anton Chuvakin, head of solution strategy at Chronicle Security, takes it a step further: Many businesses are overwhelmed by alerts because they have never needed to handle them.
“I think a lot of organizations, until very recently, still weren’t truly accepting of the fact they have to detect attacks and respond to incidents,” he explains. Now, those that never had a security operations center or security team are adopting threat detection and are underprepared.
The proliferation of security tools is also contributing to the alert fatigue challenge, Chuvakin notes. “Today we have a dramatically wider scope of where we are looking for threats,” he continues. “We have more stuff to monitor, and that leads alerts to increase as well.” The most obvious risk of alert overload, of course, is companies could miss the most damaging attacks.
Security staff tasked with processing an unmanageable number of alerts will ultimately suffer from burnout and poor morale, security experts agree. What’s more, overwhelmed employees may also be likely to simply shut off their tools.
It isn’t the technology’s fault, notes Chris Morales, head of security analytics at Vectra. “We don’t have a detection problem – we have a prioritization problem,” he explains. Any given person in a commercial security environment is tasked with multiple jobs: parsing data, writing scripts, knowing the ins and outs of cloud – and managing arrange of tech in their environment.
“The amount of data being pushed through corporate networks today is unlike anything we could have imagined 10 years ago,” says Richard Henderson, head of global threat intelligence at LastLine. Organizations are struggling, and the onslaught of alerts is putting them at risk.
Here, security experts share their thoughts on the drivers and effects of alert fatigue, as well as the tools and techniques businesses can use to mitigate the problem. Which strategies have you used to combat alert overload? Which are effective? Feel free to share in the Comments section, below.
(Image: VadimGuzhva – stock.adobe.com)
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio
