Ever heard of the saying “too much of a good thing?” Security alerts can give you visibility over what’s happening in your environment, but too many alerts actually have the opposite effect.
What Is Cybersecurity Alert Fatigue?
Cybersecurity alert fatigue occurs when admins or analysts receive an overwhelming number of alerts from security tools — some of which are innocuous and irrelevant — causing them to ignore the alerts that really matter.
Alert fatigue is often associated with cybersecurity products like antivirus, endpoint security, firewalls and traditional security incident and event management (SIEMs). A worst-case example of alert fatigue is when analysts spend most of their days investigating menial, repetitive audit alerts that don’t have much analytical or security value.
False positives also worsen the situation by creating unnecessary noise for events that aren’t security threats, like a series of failed login attempts. False alarms account for about 40% of all alerts that security teams receive and further encourage the bad habit of ignoring alerts.
The Problem With Alert Fatigue
Security operations teams receive an average of 174,000 alerts per week — a number that is rising year over year, according to a Demisto study. The crowded security market makes it tempting for businesses to throw money at the problem and invest in too many tools, which exacerbates the issue of alert fatigue. Enterprises maintain an average of 19 different security tools, only 22% of which are vital to primary security objectives, according to a ReliaQuest survey.
Contributes to analyst burnout. Working in the security industry is inherently stressful; security professionals are more than twice as likely to report poor work-life balance. Combine that with the prospect of triaging a high volume of alerts with no end in sight and you’ve got a recipe for disaster. An overwhelmed, stressed security analyst burdened with such a mundane task is an automatic flight risk. This is especially for smaller IT and security teams that wear multiple hats and also need to maintain infrastructure, upgrade servers and respond to help desk tickets.
Costly to the business. When analysts spend time triaging and investigating alerts, it takes resources away from more high-value tasks. On average, analysts spend 24-30 minutes investigating each incident that comes through, according to an Enterprise Management Associates (EMA) study. Considering that the average salary of a security operations center (SOC) analyst is $109,156 per year (around $30 per incident investigation), false positives and alert fatigue can result in a major cost to business.
Leads to real security incidents. Dealing with an overwhelming amount of notifications (or a recurring alert of something that isn’t an actual threat), conditions a person to tune them out — it’s just human nature. Have you ever said a word so many times that it starts to lose its meaning and sound completely foreign? That’s an example of the psychological phenomena known as Semantic Satiation: the more you’re exposed to something, the more you begin to disregard it.
From there, it’s inevitable to ignore alerts that actually matter, which leads to cyberattacks such as ransomware, malware and other real threats. For example, alert fatigue was a factor in Target’s 2013 data breach.
Tips to Combat Alert Fatigue
Fortunately, there are ways to eliminate alert fatigue; modern SIEM vendors have realized the problem of alert fatigue and have engineered their products to avoid the issue.
Besides purchasing less noisy tools, admins can do a few things to prevent alert fatigue:
1. Don’t log everything. At Blumira, a common misconception that many of our newer customers have is that they need to ingest every log source. That takes a lot of work, and not every source will provide security value.
Instead, admins should determine which log sources are most important to their organization and prioritize those.
David Begley, Technical Account Manager at Blumira, recommends three core sources to start ingesting immediately: Active Directory (AD), firewalls and cloud applications. Organizations maintaining AD should get domain controllers (DC) enabled and streaming to a SIEM. Then, they can work their way up the tech stack to firewalls and eventually cloud apps, which can be high-value targets for threat actors.
2. Prioritize alerts. Organizations should choose security products with prioritized alerts. A tool should categorize threats by the time recommended to respond:
- Priority 1 – Respond immediately to critical threats
- Priority 2 – Respond within next day to high-priority threats
- Priority 3 – Respond within the next few business days to lower, potentially malicious alerts
This helps security teams understand what to focus on, reducing burnout.
3. Fine-tune your SIEM. An improperly tuned SIEM is often the culprit when it comes to alert fatigue. For example, a too-broad detection rule can result in a lot of false positives. But tuning a SIEM is incredibly time-consuming and requires extensive security expertise. Finding a vendor that does the fine-tuning for you can ease that burden.
4. Automate, automate, automate. The ability to automatically sort alerts and correlate threats with data significantly cuts down on time spent managing alerts. 94% of IT leaders say that automation is the best solution for alert fatigue, according to a Dimensional Research study .
5. Use workflows and playbooks. Alerts that aren’t actionable can be a major time-sink for IT and security teams, especially those with less security expertise. Interpreting a disjointed event ( What is this log telling me and what is it saying about my environment? ) can be complicated and time-consuming. Actionable alerts that are accompanied with context — or even better, built-in workflows and playbooks that give suggestions for next steps — makes it much easier for an admin to know what to do, and cuts down on remediation and response times.
How Blumira Stops Alert Fatigue
Blumira’s cloud SIEM is designed to eliminate alert fatigue, using tactics such as automation, pre-built workflows and playbooks, and prioritized, contextual alerts. Blumira’s platform compares data across your different systems to prioritize only the most important findings and alert your team to potential threats, which is a major time-save — especially for MSPs who have to act as the IT team for multiple companies.
Blumira’s platform also uses evidence stacking, which bundles similar alert data and includes the information in the already-triggered findings until the case is closed. In addition to stacking evidence, if there are any related findings within the same time period on the same host or user, they are linked to provide additional context into the incident response process.
Tailored to resource-strapped IT and security teams, Blumira includes access to a team of security experts that are ready to answer your questions about an alert.
Dan Kontak, IT Director of National Machinery, said Blumira was crucial in reducing alert fatigue.
“We get at least 100 messages a day from our antimalware software. It’s not possible to deal with it and get your job done. Now, we just ship the logs right to Blumira. They correlate that data with logs from our other devices and outside threat intelligence to analyze the threat levels and advise us on proper responses.” – Dan Kontak, IT Director
Try a free trial of Blumira today and start getting relief from neverending alerts.
Learn More About Alert Fatigue
In this on-demand livestream, Blumira’s Matthew Warner, CTO and Co-Founder, Ignite Security’s Kevin Critch, Director of Security Solutions and Brian Forward, Security Solutions Engineer, discuss how security and IT teams can approach the problem of alert fatigue.
You’ll also see a live demo showing how Blumira’s prioritized alerts save you time and headaches. Register here.