To defend against increasingly sophisticated and persistent cyber-attacks, it can be tempting to focus your IT budget on the latest technologies.
But organisations take a significant risk in relying on technology alone, however advanced.
While good security technology can provide part of the answer, the sheer number of alerts generated demands constant attention. Without the right resources to analyse and manage these outputs, critical alerts may end up being ignored.
What is alert fatigue?
Alert fatigue (or alarm fatigue) occurs when an individual or team is exposed to an overwhelming number of alerts, to the point that it becomes desensitising and impacts on performance.
While alarms and alerts are designed to signal a potential problem, they also require further investigation to confirm whether they are genuine. The higher the number of false positives, the higher the likelihood of alert fatigue, resulting in important information being missed or overlooked.
Alert fatigue in cyber security
Cybercriminals are stealthy and persistent, using a range of advanced techniques to compromise their targets. The security systems designed to stop them must be capable of identifying early signs of attack and helping to prevent breaches.
Threat detection technologies such as Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) collect, manage and correlate data from a variety of sources to flag anomalous activity. If they are not deployed and managed effectively, these systems have the potential to generate thousands of alerts every day.
With such a broad range of attack vectors exploited by hackers, any unusual network behaviour could indicate a breach, so it is important to ensure any suspicious activity is identified and promptly escalated for human investigation.
A big problem for many organisations is that a large proportion of security alerts are likely to be false positives, making identifying a genuine ‘true positive’ like finding a needle in a haystack. According to a report from the Ponemon Institute, of the 17,000 malware alerts the average organisation receives every week, less than a fifth are reliable. The same report estimates that two-thirds of IT security staff time is spent responding to false security alerts.
The bad news is that the number of alerts is increasing. In response to a 2020 survey, 70% of security professionals said they had seen the volume of security alerts they receive more than double since 2015.
The shift towards working from home has also led to a rise in alerts. In recent research, 42% of security operations teams who responded said that their alert volume is higher now than it was before the pandemic.
A survey by the Cloud Security Alliance revealed that 31.9% of IT security professionals who responded ignore alerts because so many are false positives. While understandable, this creates the risk of in-house teams ignoring warnings when there is a real intrusion. While it might be tempting to disregard alert sources with high false positive ratios, it could also create significant security blind spots.
The challenges of in-house monitoring
With security budgets stretched to meet different business priorities, it can be challenging to decide where to invest. Many organisations, aware of the value of SIEM and IDS, go straight for the technology. However, without the resources to properly utilise these systems, they may fail to maximise the performance of these solutions.
Businesses that lack a dedicated security team are particularly vulnerable to alert fatigue. Investigating alarms is a 24/7/365 process that demands a team of dedicated professionals trained to analyse and triage alerts as well as facilitate swift incident response.
In many cases, the security burden often falls on IT employees, who are under pressure to balance security considerations with other day-to-day operations and as a result, often lack a complete and up-to-date understanding of the security landscape.
Detecting and responding to threats typically involves more than just SIEM and IDS. Endpoint analytics and behavioural monitoring technologies are often used to provide additional context, but these must also be actively monitored and optimised. Managing multiple disparate systems can be extremely time and resource-intensive.
The benefits of outsourced monitoring
A managed detection and response (MDR) service can be a hugely cost-effective option for organisations struggling to overcome alert fatigue.
By combining expertise, technology and intelligence in a turnkey service, and removing the burden of 24/7 alert monitoring and investigation, MDR helps to significantly improve organisations’ cyber security posture.
Effective cyber security requires a team of around-the-clock experts that understand how cybercriminals operate to ensure that important alerts don’t get missed and, in the event of an incident, that response efforts are swift and effective.
Why choose Redscan?
ThreatDetect™, our flagship and award-winning MDR service, integrates world-class SOC expertise, cutting-edge detection technologies and threat intelligence, for a cost-effective monthly fee.
By crafting a threat monitoring solution to suit your organisation’s needs and taking ownership of the full installation and optimisation process of all included technologies, our experts help to maximise cyber security capabilities.
Our specialists have a deep understanding of offensive security, and act as a virtual extension of your IT team to monitor your network and endpoints 24/7 and hunt for and respond to threats. All security alerts are triaged by our analysts and delivered via our cloud-architected XDR platform, CyberOps, which provides incident reporting and prioritised remediation guidance through a single interface.