To defend against increasingly sophisticated and persistent cyber-attacks, it can be tempting to pump money into the latest tech.
Relying on technology alone, however advanced, can be a critical error. While top end security technologies can provide part of the answer, the sheer number of alerts generated demands constant attention. Without the right resources to analyse and manage these outputs, critical alerts may end up being ignored – a constant thorn in the side of many organisations.
What is alert fatigue?
Alert fatigue (or alarm fatigue) occurs when an individual or team is exposed to an overwhelming number of alerts, to the point that it becomes desensitising and impacts on performance.
While alarms and alerts are designed to signal a potential problem, they also require further investigation to confirm whether they are genuine. The higher the number of false positives, the higher the likelihood of alert fatigue, resulting in important information being missed or overlooked. The longer this situation persists, the more serious the ramifications can become.
Alert fatigue in cyber security
Cybercriminals are stealthy and persistent, using a range of advanced techniques to compromise their targets. The security systems designed to stop them must be capable of identifying early signs of attack and helping to prevent breaches.
Threat detection technologies such as Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) collect, manage and correlate data from a variety of sources to flag anomalous activity. If they are not deployed and managed effectively, these systems have the potential to generate thousands of alerts every day.
With such a broad range of attack vectors exploited by hackers, any unusual network behaviour could indicate a breach, so it is important to ensure any suspicious activity is identified and promptly escalated for human investigation.
A big problem for many organisations is that a large proportion of security alerts are likely to be false positives, making identifying a genuine ‘true positive’ like finding a needle in a haystack. According to a report from the Ponemon Institute, of the 17,000 malware alerts the average organisation receives every week, less than a fifth are reliable. The same report estimates that two-thirds of IT security staff time is spent responding to false security alerts.
The bad news is that the number of alerts is increasing. In response to a 2020 survey, 70% of security professionals said they had seen the volume of security alerts they receive more than double since 2015.
The shift towards working from home has also led to a rise in alerts. In recent research, 42% of security operations teams who responded said that their alert volume was higher post-pandemic than it was before.
A survey by the Cloud Security Alliance revealed that 31.9% of IT security professionals who responded ignore alerts because so many are false positives. While it might be tempting to disregard alert sources with high false positive ratios, it could also create significant security blind spots. For this reason, contextualisation is essential.
The challenges of in-house monitoring
With security budgets stretched to meet different business priorities, it can be difficult to work out where to invest. Many organisations, aware of the value of EDR or SIEM, go straight for the technology. However, without the resources to properly utilise these systems, they may fail to maximise thepir performance.
Businesses that lack a dedicated security team, or have only a small team without 24/7 coverage, are particularly vulnerable to alert fatigue. Investigating alarms around-the-clock demands a team of dedicated professionals trained to analyse and triage alerts as well as facilitate swift incident response.
In many cases, the security burden often falls on IT employees, who are under pressure to balance security considerations with other day-to-day operations and as a result, often lack a complete and up-to-date understanding of the security landscape. Managing multiple disparate systems can be extremely time and resource-intensive.
Detecting and responding to threats typically involves more than just SIEM or EDR. Security Orchestration, Automation and Response (SOAR) technologies are often used to provide additional context, and these can be hugely beneficial, but more technology doesn’t solve the root cause. SOAR tools must also be actively monitored and optimised by experts who know what to look for and how to escalate issues.
The benefits of outsourced monitoring
A managed detection and response (MDR) service can be a hugely cost-effective option for organisations struggling to overcome alert fatigue.
By combining expertise, technology and intelligence in a turnkey service, and removing the burden of 24/7 alert monitoring and investigation, MDR helps to significantly improve organisations’ cyber security posture.
Effective cyber security requires a team of around-the-clock experts that understand how cybercriminals operate to ensure that important alerts don’t get missed and, in the event of an incident, that response efforts are swift and effective.
Why choose Kroll?
Kroll Responder is our 24/7 Managed Detection and Response service. Kroll Responder provides extended security monitoring around-the-clock, earlier insight into targeted threats, and complete response to contain and eradicate threats across your digital estate.
Discover how our turnkey MDR service can fill gaps in your security resources by combining seasoned security expertise, frontline intelligence and unrivaled response capabilities.
Find out more about our MDR service
