Security Alert Fatigue Making Life Tough for IT Pros
Eric Adams understands the effect of security alert fatigue from many vantage points. As a longtime security professional, he has experienced it many times himself.
And as Kyriba‘s chief information security officer, he has seen the effect it has on good security people who have become completely frustrated, numb or less effective because of security alert fatigue.
Kyriba’s products help businesses protect against fraud and financial risk.
“We have seen that if there are more than about 75 events over an hour, it’s just too many alerts,” he said. “It’s like being an air traffic controller. When you have a certain threshold of events per hour, you run the risk of an analyst not running the full playbook or analysis of an event.”
In fact, alert overload is a huge problem, and it can sabotage security operations. According to one recent report, the vast majority of security analysts say it takes more than 10 minutes to investigate each alert. It’s just a matter of doing the math.
This article originally appeared on Channel Futures’ sister site, IT Pro Today. |
In addition to alert overload, false positives and security analyst churn also contribute to security alert fatigue. One study found that more than two in five organizations get false positive alerts in more than 20% of cases, while 15% reported that more than half of their security alerts are false positives.
Experts Weigh In
Here, experts weigh in on ways to reduce security alert fatigue.
Upgrade and modernize if you can. Ideally, this will include as much automation as possible.
Jason Mical is cybersecurity evangelist at Devo Technology. He says the best way to do that is to replace your legacy security information and event management (SIEM) system with a newer version that is more automated and rule-based. It should also rely more on artificial intelligence and machine learning. Newer SIEMs have access to all of the data in an environment instead of just security data. That gives more context to every alert and helps prioritize them. More modern SIEMs also tend to provide more visibility. These capabilities can help winnow down the number of alerts that are actually actionable. This helps to reduce alert fatigue.
For Kyriba, the solution was an automated security operations center (SOC) based on a Respond Software product with an integrated SIEM.
“In our case, the Respond software covers Levels 1 and 2 alerts and can take actions based on a playbook, and escalate only those that need personal attention,” Adams said. “So our personnel only look at those qualified alerts, determine whether they are valid or a false positive, and provide feedback into the Respond tooling.”
The automated nature of this solution helps reduce alert fatigue and frees analysts up to work on other tasks.
If you can’t upgrade, you’re not completely out of luck; focus on …
- Page 1
- Page 2