Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

10/21/2019
10:00 AM
Kelly Sheridan
Kelly Sheridan
Edge Features
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Surviving Security Alert Fatigue: 7 Tools and Techniques

Experts discuss why security teams are increasingly overwhelmed with alerts and share tactics for lightening the load.

It's an all-too-common problem for today's security teams: Alerts stream from a range of tools (sometimes misconfigured) and flood operations centers, forcing analysts to analyze and prioritize which ones deserve attention. Suffice to say, major problems arise when critical alerts slip through the cracks and lead to a security incident.

"One of the biggest drivers of alert fatigue is the fact that people are unsure or unconfident about the configuration that they have or the assets they have," says Dr. Richard Gold, head of security engineering at Digital Shadows. "What happens is you end up with a lot of alerts because people don't understand the nature of the problem, and they don't have time to."

Dr. Anton Chuvakin, head of solution strategy at Chronicle Security, takes it a step further: Many businesses are overwhelmed by alerts because they have never needed to handle them.

"I think a lot of organizations, until very recently, still weren't truly accepting of the fact they have to detect attacks and respond to incidents," he explains. Now, those that never had a security operations center or security team are adopting threat detection and are underprepared.

The proliferation of security tools is also contributing to the alert fatigue challenge, Chuvakin notes. "Today we have a dramatically wider scope of where we are looking for threats," he continues. "We have more stuff to monitor, and that leads alerts to increase as well." The most obvious risk of alert overload, of course, is companies could miss the most damaging attacks.

Security staff tasked with processing an unmanageable number of alerts will ultimately suffer from burnout and poor morale, security experts agree. What's more, overwhelmed employees may also be likely to simply shut off their tools.

It isn't the technology's fault, notes Chris Morales, head of security analytics at Vectra. "We don't have a detection problem – we have a prioritization problem," he explains. Any given person in a commercial security environment is tasked with multiple jobs: parsing data, writing scripts, knowing the ins and outs of cloud – and managing arrange of tech in their environment.

"The amount of data being pushed through corporate networks today is unlike anything we could have imagined 10 years ago," says Richard Henderson, head of global threat intelligence at LastLine. Organizations are struggling, and the onslaught of alerts is putting them at risk.

Here, security experts share their thoughts on the drivers and effects of alert fatigue, as well as the tools and techniques businesses can use to mitigate the problem. Which strategies have you used to combat alert overload? Which are effective? Feel free to share in the Comments section, below.

(Image: VadimGuzhva - stock.adobe.com)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ksreiter
100%
0%
ksreiter,
User Rank: Strategist
10/24/2019 | 1:50:19 PM
tl;dr version to save you from clicking through
Even though this could have been a single page article, someone needs to generate revenue/click rates.

Define Your Use Case;
Configure with Care;
Threat Tools: SOAR, SIEM, EDR;
Learn to Operate the Tools You Have;
Be Sure Assets Are Up to Date;
Account for 'Legit' Alerts;
Learn from Past Mistakes

No vendor or product links.
The Edge Cartoon Contest: Need a Lift?
Flash Poll