Cybersecurity In-Depth

The Edge

How Do I Handle Security Alert Fatigue?

Adding more security tools might add more security — or just more headaches (and risk).

Question: I have alert fatigue from all these security alerts. What’s my solution? More tools?

Anthony Diaz, division VP of emerging services at Optiv: You're not alone. Alert fatigue is becoming a universal problem, and it's mainly due to a reactionary cybersecurity marketplace where security operations teams are challenged with transforming their approaches to keep pace with the innovations that are being applied to continuously evolving business models.

Traditional, non-integrated SOCs are not designed to address the dynamic nature of today's businesses, the accelerating volume of alerts per hour, or the thousands of raw events per second coming from monitoring and detection products. Solving these operational concerns requires a shift in thinking that focuses on the root cause problem rather than reacting to the symptoms.

Adding more tools can actually add more complexity and gaps, increasing risk. It is always important to make sure every tool is implemented and utilized correctly.

We recommend that businesses:

1. Create a strategy around detection and response, including critical/high-value assets so teams can first focus on what matters most and then expand coverage.

2. Follow a framework and process around content management (rules in SIEM/tools) that govern the curation of content so you can have alerts/detections that are fresh and don't create false positives.

3. Consider adding security orchestration, automation, and response (SOAR) capabilities, if you haven't already. The security services integrator can focus on Tier 1-3 analysis, and your team can focus on escalation, investigation, and remediation.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].