Historically strapped security teams are feeling more pressure than ever as ransomware crises, and massive security vulnerabilities continue to dominate the news. And while there’s much emphasis on preventing threats on the outside from coming in, security leaders can’t lose sight of what’s happening inside and taking a toll on both security and information security (infosec) teams: alert fatigue.
As the cybersecurity industry grapples with the ongoing talent shortage, security operations centers (SOCs) are already overwhelmed, and a constant stream of alerts doesn’t necessarily make their jobs any easier. Too much noise and false positives can fatigue teams and desensitize them, resulting in important alerts being ignored or not responded to in time. The natural “always-on” stress of the job in the SOC, combined with an overload of unnecessary alerts, is a recipe for turnover, burnout and security risk.
Continuing down this path is not sustainable for infosec professionals or the organizations’ security postures that they’re meant to protect. For security teams to effectively detect and respond to threats without succumbing to fatigue, they need to be enabled with more reliable, high-fidelity alerts that lead to better response strategies.
Higher Fidelity, Lower Volume
Alert fatigue is a monster of the security industry’s own creation. Security information and event management (SIEM) used to be simple and straightforward; however, the way the threat landscape has continued to evolve, the pressure to stay on top of everything often results in an overwhelming amount of alerts.
Most of the alerts that hit the SOC are false positives, and to wade through them effectively without losing sight of the ones that will actually impact the business, organizations need dedicated resources that are enabled by the right processes and technologies. Remembering that the end goal is to actually respond to threats, not just identify a good alert from a bad one, high-fidelity alerting is the enabler. High-fidelity alerts involve contextualization, enrichment from correlated events over time, and the right people to then facilitate from detection to containment.
Here are ways to improve alert fidelity, relieve teams of alert fatigue, and catch threats.
Prioritize and Normalize Logs to Decrease Alerts
While having extensive, well-kept logs is of the utmost importance for cybersecurity incident tracking, it’s not necessary for teams to be alerted about every new log item. Only the most critical alerts deserve their attention. Continuous reviews of what’s important and what’s not can keep the number of alerts down while providing a healthy gut-check on a company’s overall security posture. An alert ideally provides a whole picture, not individual pieces – especially when those “individual piece” alerts never add up to something bigger. If the organization is overwhelmed by the latter, normalization of logs into specific data types is a good initial step for cleaning that up. This could involve utilizing data models or strategies that don’t require writing alerts for various systems.
Make Critical Alerts Actionable
Every alert should come with recommended actions and next steps. Alerts without this context create more work and burn valuable time that could have been used to actually mitigate the threat. To make actionable alerts actionable and digestible, take a tiered approach that clearly defines the level of action needed and the timeframe in which it needs to be done. This again would be driven by contextualization and enrichment correlated across a period of time such as 7, 14 and/or 30 days.
Again, the point of having good alerts is to enable actual response. With high-fidelity alerts, you can be really confident about the actions needed to mitigate the issue. That can save the team a tremendous amount of time and energy. One of the goals of extended detection and response (XDR) is to get such valuable data confirming the detection of the threat that security analysts can implement active response strategies that mitigate threats in an automated fashion. This would relieve teams from handling every single issue when there is a known, defined action that can be automated instead of requiring human action.
But Remember, People Are Still Central to the SOC
Driving higher fidelity alerts and active response from a process and technology perspective isn’t in place of - rather, it’s in support of - the most important part of SOCs, the people.
Enabling security teams with more efficiency is critical to their success. The continued struggle to fill infosec roles and the broader but relevant trend of “the great resignation” emphasized this point. Security leaders need to prioritize and invest in the people who spend their days protecting their companies. Addressing alert fatigue is just one, but a very practical step in enabling security teams to do their best work.
Recognizing major imbalances between the size of the security team and the scope of their responsibilities is also important. If security leaders are strapped for resources, security teams simply can’t do everything they need to do to stop threats from getting a foothold on the organization’s systems. The bottom line is that organizations need good people in the SOC. Resourcing for that and/or partnering with trusted service providers is first, but then enabling SOC teams to respond better to threats while avoiding fatigue is equally important for security operations to succeed.