Combatting cyber-alert fatigue

David Atkinson at SenseOn explores the dangers of anxiety and indifference and explains how cyber-security teams can combat alert fatigue

 

The belief that more security tools equate to greater security is widespread among cyber-security professionals today, with a recent survey by SenseOn revealing that over three quarters (78%) hold this view.

 

These experts understand that cyber-security tools are crucial for defending their organisations against digital threats, as they monitor user behaviour, network traffic, and system operations to detect and mitigate risks before they escalate into major incidents. However, the assumption that an increased number of tools inherently leads to better security is not always accurate.

 

Despite CISOs investing in towering stacks of security solutions, more than 30 million records have been breached so far in 2024. This contradiction reveals that far from strengthening corporate defences, investment is often channelled into point products that address isolated problems or vulnerabilities.

 

The result, almost inevitably, is over-complicated security and the unhelpful phenomenon of ‘alert fatigue’. This significantly undermines the effectiveness of threat detection across any organisation and is a cause of cyber-security team burnout.

 

The ‘alert fatigue’ problem

The problem is real and widespread. Solutions developed around a single point might generate up to thousands of alerts in a week, with just a small percentage proving to be justified. This flood of notifications significantly burdens those responsible for checking each alert, leading to hours of sifting through false positives. The impact of alert fatigue cannot be ignored.

 

Not only does it cost businesses money, but it also makes Security Operations Centre (SOC) teams unhappy, affecting retention. Some team professionals might even explore new careers as a direct result of alert fatigue, potentially worsening the cyber-security talent shortage.

 

SOC analysts are left in a state where they are constantly fearful that they may have overlooked genuine security incidents amid the barrage of repetitive or redundant alerts. If a fully warranted alert is mistakenly dismissed as just another false alarm amid daily noise, organisations run the risk of overlooking a genuine threat which can lead to a catastrophic data breach.

 

On the other hand, every false positive alert undermines the ability to respond to true positives consistently and quickly. Alert fatigue can also translate into the loss of trust in security operations across the entire organisation. Each time the security team interrupts everyone’s workflows due to a false alarm, employees simply get annoyed and weary, and start to take security events less seriously.

 

Tuning responses to the right pitch

Tuning out false positives is not straightforward. A quiet environment brings its own dangers. When configuring the system to alert less often, there is a risk the team will exclude real threats from detection.

 

Avoidance of alert fatigue requires a two-pronged approach. Firstly, SOC teams need to find a way to dynamically filter false positives alerts from the alert queue. Secondly, they should make it less stressful and faster to investigate real alerts.

 

How do teams do that?  Mainly by investing in proactive defence, automating threat detection at endpoints, and integrating AI into cyber-security platforms.

 

Automation, data collection and AI

Automating threat detection at endpoints does however require a new approach to data collection. To gain context into real threats, analysts need a unified source of data collection that can pull together network, endpoint and user information into a single case. SOC teams need a single solution that collects and correlates all endpoint data with information from their network and cloud environments.

 

Then, by using advanced AI-powered anomaly detection engines, the solution can distinguish genuine threats from noise, significantly reducing the number of false positives. Employing automation for data correlation and aligning with MITRE ATT&CK frameworks also has the advantage of significantly boosting SOC productivity.

 

Benchmarks for normal behaviour

To maximise the benefits of AI-powered cyber-security platforms, teams should understand the normal patterns of user and device behaviour. For SOCs to identify potential threats from anomalies much faster they should move beyond simple rule-based alerts to incorporate user and entity behaviour analytics.

 

This dynamic approach adjusts to the evolving environment of an organisation and improves threat detection precision while reducing false alarms.

 

Threat actors are smarter and more technologically capable than ever. The amount of noise cyber-security teams have to analyse will only grow louder in any IT environment where there are more than a few dozen users and different detection methods. Such is the volume of data flowing into SOCs from all kinds of different sources, the problems of alert fatigue are to some extent unavoidable.

 

With SOC teams constantly on the edge of over-stretch, there is real risk an ignored alarm could mask a catastrophic data breach. AI-powered cyber-security is now vital to streamline and enhance detection and significantly reduce the chances of serious incidents.

 

Cyber-teams should not be in a constant state of anxiety about whether an alarm is a real threat or a false positive. There are major consequences for any mistake, so teams must have the technology that gives them and their organisation greater reassurance and certainty as often as possible.

 

---

 

David Atkinson is CEO at SenseOn

 

Main image courtesy of iStockPhoto.com and shapecharge