Beep, beep, ding, ding – the source of alert fatigue.
Alert fatigue is not a new phenomenon. This happens when cybersecurity professionals are desensitized after dealing with many alerts, so they start to ignore or ignore them and have slow response times. In most cases of alert fatigue, employees fail to respond in time because of the burnout they experience from alerts and notifications.
Alert fatigue is believed to be a major factor in the 2013 Target Data Breach that led to the theft of credit card and personal information of about 40 million customers. This is a concern for many businesses and needs serious attention. But how can you reduce alert fatigue? We will find out.
A real struggle for cybersecurity professionals
The term alert fatigue was first coined in 2004 by The Joint Commission, a US-based non-profit hospital accreditation organization, to declare the effectiveness of clinical alarms as a standard for hospitals. It has since become popular with many businesses that deal with alerts, including cybersecurity.
While ignoring app messages or notifications may not negatively affect your daily life, the consequences can be dire for cybersecurity professionals and their organizations. According to RiskIQ’s 2021 Evil Internet Minute Report 1, cybercrime costs businesses $1.79 million every 60 seconds.
A 2018 survey, just four years ago, found that 27% of IT professionals receive more than 1 million security alerts per day (stop and ignore that), while the majority (67% ) is bombarded with 100,000 alerts per day. SMEs are also not immune to the alert deluge – hit by 4,000 cyberattacks per day.
And this number is not expected to drop anytime soon. A related study from the same year found that alerts are increasing, and security staff can only process an average of 12,000 alerts per week.
The great resignation of cybersecurity
It’s no wonder that cybersecurity professionals face burnout. Even with a large team, managing 2,000+ notifications a day can be mind-numbing. Imagine being in firefighter mode every 8 hours of a typical work day, sometimes longer.
A recent report by Panther Labs found that up to 80% of security engineers suffer from burnout. Additionally, 45% of respondents to Deep Instinct’s third edition of the annual Voice of SecOps Report 2 considered leaving the industry due to stress. Forty-six percent of the same respondents said they knew at least one peer who left cybersecurity in the past year because of stress.
Chief information security officers (CISOs) are burning out and quitting at an alarming rate. Forty-nine percent of 1,000 respondents from the same report are considering leaving the industry because of increased stress levels.
It’s not just about people leaving their jobs but the damage to the industry itself. The industry is losing talent for good, and there is unlikely to be a fair replacement rate for them. Although more people enter the industry than leave it, it takes time for new entrants to get up to speed.
Not all alerts are created equal
So why are there so many alerts? Monitoring tools such as Cloud Security Posture Management (CSPM) and Security Information and Event Management (SIEM) issue alerts when anomalies are detected within a cloud infrastructure. However, not all alerts require action, or at least not immediately. Some alerts indicate minor problems that can be fixed later or even ignored.
Then there are false positives, which account for nearly half (45%) of all cybersecurity alerts, according to a report published by Fastly in 2021. False positives are alerts that indicate a attack, vulnerability, or danger when there is none.
Think of it as a false alarm or the boy who cried wolf. For example, old legitimate files with missing security certificates can be flagged as malicious.
Similarly, an alert can be issued indicating a suspicious login by an employee from an unknown location if the information security (IS) team does not know that the employee is there on vacation.
To minimize such alerts, you can use the least privilege policy and only share access to apps and data that do not pose a threat. You can also use a zero-trust model and completely restrict access to threat-sensitive or critical apps and data.
The Fastly report also found that 75% of organizations spend as much time, and sometimes more time, on false positives than on actual attacks. These false alerts cause the same amount of downtime as real attacks.
The problem with false positives is not that they exist, but:
- The number of them
- Each requires time and effort to review, investigate, and verify to determine whether an attack, threat, or vulnerability is real.
These are the causes of alert fatigue.
Imagine a faulty fire alarm system going off in your home. The first time it cries, you carefully comb every corner of the house to see if there is a fire and where it is. You may do this for a few alarms in a row, but eventually, decide it’s not worth your time to investigate another alarm and ignore it.
Likewise, cybersecurity professionals may end up completely ignoring or forgetting important alerts that indicate a real threat or attack due to alert fatigue. Then there is the consideration of which alerts are more important and should be prioritized.
Some organizations use different systems to monitor their cloud infrastructure, which means that each system gets its fair share of alerts. This often has far-reaching effects, leaving cybersecurity professionals drowning in a vast ocean of alerts.
4 recommendations to avoid alert fatigue
You can’t delete false alerts, unfortunately. Improving the monitoring rules will help to reduce it, but the reduction is not very significant. However, using a CSPM and other monitoring tools can help cybersecurity professionals contextualize alerts or provide sufficient information for true investigation and threat mitigation.
Another possible countermeasure is to provide quick one-click remediation so that security personnel can quickly and easily mitigate common threats or even provide step-by-step instructions on how to fix them. threat
Below are some features to consider in a CPSM tool to help reduce alert fatigue for your security personnel.
1. Contextualize alerts
A CSPM should allow you to quickly identify and zoom in on suspect assets to understand the context of the threat in light of configuration and activity insights related to the severity of the event.
This reduces the time required to investigate each alert. You can quickly identify and dismiss a false alert, take immediate action to mitigate the threat, or resolve a vulnerability.
2. Provide actionable insights
Prevention is always better than cure. Why wait for alerts to arrive? Imagine seeing a history of all changes made in your multi-cloud environment, each accompanied by an actionable view that helps you identify potential threats of your cloud infrastructure and even guide you to take proactive action to mitigate potential threats.
Having such a feature will also allow your organization to remain audit-ready for international standards such as ISO 27001, SOC 2, specific industry and territorial standards such as PCI DSS for the payment industry. , MAS TRM in Singapore, POJK 38 in Indonesia, APRA in Australia. , and the Thai PDPA.
3. Custom rules and threat level flagging
Every organization has unique security and business needs; yours is no different. There may be some home security rules to follow. Some organizations also have cloud assets that are more important than others compared to their industry peers.
You can reduce alert fatigue by monitoring these in-house rules and properties, setting the right criticality flags for each, and prioritizing them. For example, you can get alerts when there is any change to an AWS S3 bucket that contains Personal Identifiable Information (PII) data.
In addition, a CSPM should allow you to create monitoring groups where you can determine the level of criticality and automatically apply it to other flagged critical assets in your organization. This will help you reduce alert fatigue.
4. Rapid remediation of threats and vulnerabilities
Your security staff should also be able to quickly and easily remediate common and minor vulnerabilities and threats and receive step-by-step instructions on mitigating specific vulnerabilities.
In fact, selecting all the common and minor vulnerabilities and then bulk fixing them with a single click of the mouse can significantly reduce the time your security staff spends on fixing.
Another way you can help your security staff avoid alert fatigue and progress simultaneously is to ensure that the CSPM tool offers step-by-step instructions for remediating vulnerabilities. For example, your security staff can choose to fix common and minor vulnerabilities with a one-click option while using a step-by-step playbook for more complex remediation and learning. on from that.
Stay alert, but not too much
Alert fatigue is a real problem facing the cybersecurity industry today. Not only does this weaken your organization’s defenses against the increasing number and sophistication of cyberattacks, but it also takes a serious toll on the mental well-being of your security staff.
Alert fatigue has given rise to many real-life examples of breaches. Many professionals are actually leaving or considering leaving the industry altogether. This does not bode well for the cybersecurity industry as a whole, as cloud adoption is growing and the demand for such talents is dire worldwide.
Although we must accept that alert fatigue will never be eradicated, we can at least do what we can to reduce the decay, so to speak. Introducing and adopting a good CSPM tool is a great way to do that.
This problem needs to be solved ASAP and not allowed to get worse.
The coming cyberattack! Learn what to do if you have a data breach and prevent future breaches.