A recent survey by the Cloud Security Alliance found, among other things, that out of a sampling of 2,542 anomalous event alerts, only 23.2 percent were actual threats — the rest were false positives. This is one reason “alert fatigue” persists, plaguing security teams in many organizations and across industries. To fully understand the implications of alert fatigue and the role it plays in failing to prevent damaging breaches, it’s important to dig a little deeper into its causes.
Alert fatigue describes the situation when security teams are inundated with alerts, making it impossible for them to investigate and respond to each one. Consequently, a serious alert can be overlooked until it it’s too late. There are numerous high profile breaches attributed to alert fatigue, one of the most infamous being the Target breach.
There are a number of reasons alert fatigue persists in the cybersecurity community. Here are some examples of why an IT security team might suffer from this problem:
Complex IT environments:
It wasn’t that long ago that IT environments consisted largely of centrally managed hardware components with tight integrations. Change happened slowly and systems were fairly easy to monitor and control. However, today’s vast mixture of physical and virtual infrastructures, as well as countless applications and a myriad of solutions that need to perform in concert, has dramatically increased the sources for alerts. Adding more frustration is the fact that the internal IT teams required to monitor these more sophisticated tools haven’t expanded at the same rate, resulting in complex noisy environments, without the staff needed to respond effectively.
Lack of context:
Alerts arriving with no context or actionable information attached can lead a security team down a rabbit hole trying to remediate the situations. To be effective, an alert needs to paint a complete picture, including the source of the problem, what machines are impacted and any other details necessary to allow IT security to quickly analyze and neutralize the threat completely.
If a security team is receiving dozens or hundreds of alerts for the same issue, it’s easy to see how alert fatigue can happen. It may be a question of fine-tuning tolerances on some of your security tools, or it could be that you have layers of non-integrated security solutions all bombarding you with redundant alerts. That’s why it’s important to consolidate and correlate threat data and perhaps move to a more integrated, platform-based security solution.
Increase in false positives:
As in the case of redundant alerts, combining multiple sources for alerts with poorly-tuned, uncoordinated or inadequate security tools will inevitably lead to more false positives. This results in alert fatigue because it’s human nature to become inured to alerts if the majority of them are false – in a sea of false positives, the true positive is likely to be missed.
Alert delivery issues:
If alerts aren’t going to the right people on your team, or the right people don’t have the right access, important alerts can get missed. There can also be a problem if low priority alerts are being delivered in the same timeframe as high priority notifications. For instance, if your team is getting low priority alerts consistently at all hours, don’t be surprised if one day someone ignores an important alert that arrived at 2 am.
What is the Solution to Alert Fatigue?
Automation Tools are Important
The robust nature of today’s cybercrime, hacktivism and nation state attacks means that noisy alerting will not diminish any time soon. While many security vendors promote their abilities to correlate, contextualize and consolidate threats, the rapidly evolving threat landscape makes dialing back the noise a challenging objective. Endpoint security tools that include machine learning and behavioral analysis can be critical in providing triage support for your internal IT security team, reducing overall alert volume, as well as cutting down on redundant alerts and false positives. However, accurate and lasting remediation still requires human intervention, particularly given today’s complex threat landscape.
Managed Threat Hunting is Key
Eliminating the consequences of alert fatigue while ensuring that stealthy attacks can be detected and analyzed immediately, have made proactive threat hunting a necessity for organizations in every market sector. Unfortunately, building an internal threat hunting team is challenging. The tasks of resourcing, staffing and operationalizing this capability is simply out of reach for most organizations’ IT security teams.
This is why the CrowdStrike Falcon Platform includes Falcon OverWatch™, an elite team of expert threat hunters who work around the clock to detect, analyze and eliminate adversaries threatening clients’ environments. The CrowdStrike team works alongside internal security teams to eliminate alert fatigue by going beyond alerting to focus on subtle signs of attacks that might lead to a serious compromise if left unattended. They analyze the complete context of the threats an organization is facing and prioritize them to remediate instantly, before incidents turn into full-blown breaches. Falcon OverWatch threat hunters are currently stopping more than two breaches per hour for CrowdStrike clients.
To learn more about Falcon OverWatch, and how it can improve security posture while alleviating alert fatigue, register for the live webcast: Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting.