Jay Batson – Manager of Engineering
Alerts are the first line of defense in every organization’s cybersecurity efforts. But as the threat landscape grows more aggressive, admins, specifically IT operations professionals, are faced with an overwhelming number of potential security events to investigate, the majority of which are non-actionable. A recent Cloud Security Alliance study found that of a sampling of 2,542 anomalous-event alerts, only 23.2 percent were actual threats. That heavy noise level desensitizes admins to the alerts, creating a condition known as “alert fatigue”.
More than just a personnel problem, alert fatigue increases the odds that a legitimate threat gets overlooked, leaving the organization vulnerable to attack.
Ensuring admins stay motivated to pay attention to alerts requires finding a balance between alert quantity and quality. Here are a few tips that can help.
Tune in to what’s important
One obvious way to dial down the noise is to only monitor the information that is critical to your organization. This requires an understanding of your organization’s unique environment, including where sensitive assets are stored, who needs access to them and when, what normal network traffic looks like, and other considerations. Once you’ve established a baseline, you can better tune your security tools to alert admins to potentially harmful deviations while filtering out data that only adds to the queue.
Include context in alerts
An event that seems innocuous on its own may be significant in light of a chain of other events. That makes it critical for every alert to include details such as where the issue originated, what systems were impacted, and any other relevant contextual data that can convey the event’s importance and suggest an appropriate response. Effective monitoring tools will do the heavy lifting of correlating related events and producing actionable alerts so admins can respond quickly and confidently.
Minimize redundant alerts
Most organizations use separate and distinct security solutions for email scanning, antivirus, endpoint detection and response, and so on, in order to provide complete protection. Inevitably, several of these tools will perform similar functions and produce redundant alerts for a single event. It’s important to minimize this overlap, as it’s one of the biggest contributors to alert fatigue. Each tool’s alerting rules can be fine-tuned individually to reduce redundancy, but a stronger solution would be to consolidate security functions through a single platform, so all alerts are generated from a single source.
Humans aren’t great at repetitive, high volume tasks, but artificial intelligence excels at them. Tools that utilize machine learning algorithms can support admins including IT operations professionals by sifting through security logs, triaging and assigning alerts, and automating other routine tasks. Properly implemented, this type of automation ensures admins get only the alerts that require their attention while reducing the tedium of repetitive, low-yield work. This, in turn, gives them more time to focus on tasks like threat analysis and response, to which human intelligence is better suited.
Given the volume of mostly false alarms that security teams confront each day, it’s easy for general admins and even IT operations personnel to let their guard down and miss or ignore legitimately suspicious activity. But by taking a few steps to reduce the total number of alerts and increase their relevance, you can help your admins stay vigilant.