How to Reduce Alert Fatigue: A Q&A Session with SecOps ExpertsAs cybersecurity alert volume grows, reducing the noise becomes critical. By: Stacy Leidwinger, VP of Portfolio Marketing
SecOps teams are being inundated with alerts. The resulting alert fatigue is adversely affecting their ability to do their jobs. In fact, IDC estimates that SecOps teams at companies with 5000+ employees wind up ignoring about 23% of their alerts. At companies with 1500-4999 employees, that figure is closer to 30%.1
That’s why I sat down with three leading cybersecurity experts for a Q&A session all about alert fatigue, its causes, and why it is so critical to keep it at bay. My subjects for this deep-dive were none other than Top 50 Global Cybersecurity Influencer and former Defense Intelligence Agency Cyber Deputy Division Chief Tyler Cohen Wood, Berkeley Varitronics President and CEO Scott Schober, and DataOps pioneer Lenny Liebmann. Read on as we discuss how to reduce alert fatigue.
Q1: Does alert fatigue pose a threat to cybersecurity? If so, how serious?
A1 (Cohen Wood): Alert fatigue is a very serious problem that must be addressed. Without the right tools to properly consolidate alerts, classify them, and prevent false positives, alert fatigue can cause SecOps teams to miss critical alerts, waste time on too many false positives, or frankly, just hope that someone else will respond to an alert.
If we don’t take action to address alert fatigue, it’s just going to get worse. For one thing, we keep increasing the size of the attack surface by continually adding devices—especially IoT—to our digital ecosystems. For another, attacks keep escalating. So alert volume just keeps growing.
Q2: Alert fatigue isn’t just a logistical issue, though, is it?
A2 (Schober): No, it’s a psychological issue, too. And that aspect of alert fatigue is not trivial. Given how difficult it is to find, recruit, and retain cybersecurity talent, SecOps staff burnout isn’t something any organization can afford. Yet that’s exactly what happens when you allow your SecOps staff to become overwhelmed and start feeling like they are fighting an unwinnable battle without adequate resources. It’s this combination of overloading your team with more alerts than they can logistically handle and the psychological impact of that overload that makes alert fatigue so dangerous.
Q3: So, what’s the solution? What’s your advice on how to reduce alert fatigue?
A3 (Liebmann): Alert fatigue is, at its root, a data management problem. And when we have this particular type of data problem, we need to apply a few core best practices to the pipeline between the sources of the data and the human beings who are getting overwhelmed by the data:
- Reduce raw volume by suppressing/filtering the “noise”
- Reduce volume at the user’s screen by de-duplicating/aggregating related data
- Reduce cognitive workload for the user by logically prioritizing data requiring action/attention
- Enhance user productivity by making it easier for them to quickly handle each data event
- Implement feedback loops, machine learning, etc. to continuously improve DataOps efficiency
SecOps practitioners are not the first human beings in history to suffer from information overload. We’ve seen this phenomenon in lots of other places—from national defense to enterprise IT management. The only question is how SecOps teams can actually implement proven DataOps best practices in the context of their work.
Q4: Are there best practices for overcoming alert fatigue?
A4 (Cohen Wood): Absolutely. There are many tools available for better classifying and de-duplicating your alerts—as well more aggressively reducing false positives. You also want to look for cybersecurity solutions that leverage AI/ML technology in conjunction with human intelligence to help you reduce false positives and guide your team to work on the most critical problems first.
There are lots of other things you can do to reduce SOC stress, too. For example, you should ensure that your SOC has a complete, accurate, and up-to-date inventory of your ecosystem. Proper implementation of a Zero Trust environment also helps mitigate alert fatigue by keeping the threat surface more manageable.
Q5: Don’t we have to be careful about over-suppressing and/or under-reacting to alerts, too?
A5 (Schober): Of course. If you miss an important alert, you can give a cybercriminal just enough window of opportunity to gain a foothold in your environment, allowing them to discreetly exfiltrate sensitive data and IP before you detect them. This is why you need to complement any effort to mitigate alert fatigue with the most advanced threat hunting possible. A big part of the XDR value proposition is based on this growing need to optimally leverage telemetry from everywhere—endpoints, the network, multiple clouds, etc.—to quickly zero in on active threats even as cybercriminals do everything in their power to mask their activity.
I enjoyed my discussions with the experts and their thoughts on how we as a community can help our cybersecurity professionals avoid alert fatigue. If you are looking to learn more, I recommend checking out our whitepaper titled “Reduce Cyber Alert Fatigue in your IT Environment”.1Source: In Cybersecurity Every Alert Matters – an IDC White Paper