How To Fight Alert Fatigue

Understanding Alert Fatigue

Over the past 30 years, the battle between attackers and defenders has played out. As the world moved into a new digital age where data became a primary currency attackers developed more sophisticated methods to breach defenses and exploit weaknesses.

Rushing to stop them was an army of technologies designed to protect every attack vector and detecting every anomalous event that could be a threat.

Then we reached the human element. Teams of skilled people tasked with implementing corporate cyber policy to analyze alerts, investigate suspicious activity, and resolve incidents.

In our efforts to protect ourselves and the corporations that employ us, we created an unforeseen problem – Alert Overload

Too many alerts came flooding in for analysts to realistically work and tough decisions must be made.

  • Do we ignore alerts?
  • How do I determine where best to spend my time?
  • Are incidents actually generating alerts?

State of the industry

Almost all enterprises now boast a comprehensive set of cybersecurity tools a survey undertaken by the Cloud Security Alliance found that half of the enterprises have six or more tools that generate alerts. 20% of enterprises have 11 or more tools and 12.7% have over 20 tools. 

These tools are creating more noise than it is possible to deal with In an article by Techworld, they stated that the average business in the USA deals with 10,000 security alerts every day. With the largest enterprises seeing up to 150,000 alerts per day.

At the enterprise level, it results in an average of 2.7 million alerts every month.

Let’s look a little closer at some of these alerts.

A study performed by FireEye showed that 52% of alerts are false positives and 64% are redundant. The conclusion is that over half of the alerts being received are not relevant and merely act as a waste of time, money, and effort. 

By removing the false positives we could effectively solve half the problem whilst saving significant amounts of money and making our organizations safer. 

When we look at the remaining alerts. We find that 40.4% of analysts say the alerts they receive lack actionable information to investigate.

Why haven’t we solved these problems?

Many have tried to tackle these challenges with the use of SIEM technology. However, the issue is that alerting systems such as a SIEM are often not equipped with the data required for analysts to make informed decisions.

In fact, an EMA study found that “This creates a situation where too many alerts are created, with the highest priority then requiring additional work by analysts to make a proper reprioritization.” – having minimal impact on overcoming core problems.

Those queried for the survey said they had to manually reprioritize over half of the threat alerts they receive which is in keeping with other statistical data we have reported.

This point was discussed In an article for SC Magazine by Nathan Wenzler, chief security strategist at AsTech Consulting who said of SIEM tools they were meant to aggregate the millions upon millions of events generated and allow security professionals and administrators a way to filter through the noise to find the most important, high-priority events that needed attention. “But, even these tools can struggle to bring only the most pertinent items up to the attention of those who need it, leading to huge volumes of alerts that must be reviewed and dealt with almost constantly.”

Next Steps

Perhaps one reason why we have not been able to effectively solve the issue with alert overload is it has traditionally been viewed as a security issue.

All operational environments generate many repetitive alerts that include false positives and true positives which form a big chunk of the alerts that pop up daily for security analysts to handle. The truth is we are dealing with an operational issue.

Operational challenges require an entirely new approach.

To start, after analyzing the industry as it is today there are two key areas that must be tackled in order to eliminate alert fatigue, reduce noise, and improve productivity.

  • Eliminate all recurring alerts (both false positives & true positives)
  • Automatic context

With the root causes of the problems identified we can now examine solutions in detail to solve this problem.

AlertFusion – A New Approach

At Alertfusion it became clear to us that once we understood these challenges as operational rather than security we could create a solution to tackle them.

Before you can eliminate false positives there must be sufficient context to determine:

  • Have we seen this alert before?
  • Is this a false positive or a true positive?
  • What steps were taken to remediate it?

Where other tools lack the context in order to answer these questions AlertFusion was designed to

  • Enhance visibility to linked or recurring alerts providing the organisation with real-time visibility of the entire alert landscape
  • Automatically identify recurring alerts and determine if they need to be automatically eliminated based on past remediation actions taken on the previously occurring alert.

The Impact

The impact is with AlertFusion you are able to answer the three key questions and take immediate action.

AlertFusion can automatically ask

  • Have we seen this alert before?
  • Was it a false positive or a true positive?
  • What steps were taken to remediate it earlier

Without the analyst being involved at all. An AlertFusion user recently closed over 400,000 alerts in 48 hours due to the immediate context and alert elimination capability AlertFusion provides.

By approaching the problem in this way we can eliminate the alert noise that enables organisations to focus the analyst’s time on any new or important alerts that require analyst intervention.

With AlertFusion, eliminate alert noise and enhance the effectiveness of your security analysts.

By Jayanth Varma, Founder

CEO/Founder of AlertFusion. We aim to improve the productivity of our customers by tackling the challenges faced by their analysts day in and day out. We do this through centralising alerts, eliminating rework, and retaining key knowledge.