Security alert overload: the real cost of alert fatigue

IT security professionals continuously have to tackle high levels of security alerts in the global cybersecurity space. The volume of alerts is increasing at an alarming rate making it difficult for IT to manage and maintain. By Eldad Chai, SVP Product Management, Imperva.

  • Monday, 4th February 2019 Posted 5 years ago in by Phil Alsop

From malware alerts, installing new services, to alerts for estimating passwords, there is a variety of forms that they can take. The list is so far reaching that it comes as no surprise that there is an evident overload for IT security professionals.


The real problem is that the number of security alerts is proving detrimental for IT security professionals and for companies overall, costing them not only time, but also a substantial amount of money.

The cost of alert fatigue

The abundance of security alerts can result in alert fatigue, a sense of frustration, and desensitisation to what is perceived to be unmanageable.

Alert fatigue is felt in our daily life. For example, when concentrating on an important piece of work, your phone buzzes 20 times in a row, but you ignore it. When you go to check your email inbox, and there are 50 messages waiting for you whilst you were busy at a meeting, you ignore this too. This is done to focus on your current task.

Alert fatigue in your personal life has far less consequences than it does for security teams, where it can prove to be significantly detrimental – all it takes if one cyber threat to go undetected and it can easily bring down the entire operation.

The impact of false positives

A false positive security alert or any other kind of erroneous alert that is tracked can be very time consuming. Wasted time inevitably leads to wasted money. It also diverts attention from more urgent or important tasks that help your business succeed.

As such, in a bid to be more efficient with their time, many security professionals learn to tune these out. Worryingly, our recent survey revealed that when the Security Operations Centre (SOC) has too many alerts for analysts to process, nearly one in 10 said they turn off alert notifications altogether.

While many of the alerts reaching security teams represent false positives, a large number also alert them to events which, if ignored, could put an organisation at serious risk. Target, one of the biggest global department store retailers, experienced this at first hand.

It is widely speculated that a key factor behind the Target data breach incident was due to its security team ignoring critical malware alerts because they had received too many of those types of alerts in the past, and all were false positives. Except, in this case, the alerts weren’t false positives, and ended up being detrimental for the company.  

Tackling alert fatigue

It is imperative that critical alerts are not missed. However, with IT security teams spread thin, it adds overwhelming uncertainty and added pressure not to make a mistake. Yet, not all businesses have the luxury to hire more staff when alert volume becomes too high, neither is it cost effective to do so.

Addressing the burden requires consistent support that groups, consolidates and analyses thousands of security alerts across environments. It also demands the capability for IT to quickly identify the most critical security events, with precision, reducing the noise-to-signal ratio through fewer, but more accurate alerts. 

Many companies are leveraging the power of artificial intelligence (AI) and machine learning to work alongside security teams in combating security alert fatigue. This has proven beneficial in terms of accuracy and reliability, with many organisations having a strong appetite to roll this out universally.

AI ultimately simplifies threat discovery, allowing security teams to focus more intently on real threats. By automating alert investigation, more common alerts such as failed logins or malware detection can be dealt with more efficiently.

As organisations continue growing their global footprint of IT resources and use a variety of security tools to protect those resources, it is to be expected that alerts reaching security teams will grow in volume. The time that security teams spend being snowed under multitudes of alerts, filtering out the false-positives from the real threats is time that isn’t spent fighting critical security issues facing the company.

 

Significant change needs to occur to alleviate the pressures security teams are facing, not only to aid business operations but also to ensure the success of an organisation’s future.

 

(753 words)