01.09.2021 8 ways to avoid cyber security alert fatigue and false positives

by Andrew Milne

Today’s cyber security professionals often struggle with security alert fatigue. They use more tools to defend more systems than ever before, resulting in an overwhelming number of potential security threat alerts that require investigation. Teams are left feeling overworked and exhausted as they struggle to sort through high volumes of information to spot the real cyber risks and concerns that threaten their business’ operations, reputation, and data.  

Each security alert creates more noise that security professionals have to manage and, eventually, they may begin to tune it out. But, just like the story of the boy who cried wolf, this is where the real danger lies. When exhaustion sets in and cyber security teams struggle to pay attention to alerts, the real cyber threats slip past unnoticed.  

The good news? By understanding cyber security alert fatigue and why false positives happen in the first place, you and your team can stay focused on the issues and concerns that matter most to your business.  

What is cyber security alert fatigue? 

Cyber security alert fatigue occurs when infosec staff are constantly exposed to alerts and alarms from the tools and technologies organizations use to defend their data and IT assets, and over time become desensitized to them. They may take the form of individual emails sent to a user’s inbox or push notifications on a software dashboard.

On average, each alert takes at least ten minutes to investigate — and large companies typically deal with at least 1,000 cyber security alerts a day.    

All that time adds up. Unfortunately, 75% of businesses report spending just as much time investigating false positives as they do genuine security incidents. 

What is a false positive in cyber security? 

According to the National Institute of Standards and Technology (NIST), false positives are alerts that incorrectly indicate a vulnerability is present, that malicious activity is occurring, or that classifies benign activity as suspicious.  

Put simply, a false positive is like a house alarm going off and telling you that someone’s trying to break in, but your doors are still locked and there’s no sign a burglar tried to steal from you.  

How dangerous is cyber security alert fatigue? 

If left unaddressed, alert fatigue can develop into full-blown burnout, impacting an organization’s ability to deal with true cyber security incidents. Critical alerts may easily slip through the cracks. 

Cyber alert fatigue was discussed as a potential cause of the 2013 Target security breach that resulted in the theft of credit card and private data for an estimated 70 million customers.  

Speculation focused on two issues, including the fact that no initial response was taken by Target IT — most likely because the alerts were included with other ‘false’ alerts — as well as the possibility that alerting systems may have been off in order to reduce false positives. 

What is a false positive in cyber security? 

A false positive is any alert or alarm that indicates a vulnerability in your network that you do not have. Put simply, a false positive is like your house alarm going off, but there’s no burglar trying to rob you.   

How to manage alert fatigue and false positives 

With all this in mind, how do you reduce false positive monitoring and alerting for your business? How do you quickly identify the critical issues that require your attention? Let’s dig in.

1. Optimize your security tech stack

Part of the cause behind alert fatigue in cyber security is the sheer volume of tools companies rely on to defend their IT environment.  

In a recent survey of our Twitter community, we asked how many tools and solutions cyber security professionals use to identify and respond to threats; 25% said they were using 10 or more tools.  

According to IBM research, companies with over 50 tools in their security tech stack have a harder time detecting and responding to active threats, largely thanks to the fact these tools aren’t always interoperable. 

That lack of integration could lead to duplicate alerts, vastly increasing the amount of work staff must do without actually providing any additional security. 

If your team is overwhelmed with alerts, take the time to conduct an inventory of your tech stack. You may be able to replace point solutions that only address one part of your IT environment with a more comprehensive piece of technology that will secure your operations from end to end.  

2. Ensure security tools are integrated properly

Closely related to our previous point, tools that aren’t properly integrated with each other are a recipe for headaches and alert fatigue.  

The comprehensive coverage necessary for modern security often means organizations must layer several point solutions on top of each other.  

But as we discussed, not all tools are interoperable. What’s more, as there’s little incentive for vendors to create tools that play well with others, you may be stuck with an overwhelming volume of redundant security data. 

Ensuring your tools are properly integrated may be time-consuming, but that interoperability can help reduce the overall number of alerts to investigate and help cut down on the number of false positives to follow up on.

3. Assess and reduce your threat surface

Your threat surface comprises every point in your IT environment where an attacker could gain unauthorized access. This includes both hardware and software: 

  • Desktop and laptop computers. 
  • Mobile phones. 
  • Routers, switches, and servers. 
  • Removable data storage, like USB flash drives. 
  • Smart devices, including TVs, security cameras, and other technology. 
  • Unsupported or unpatched software, workstations, and even servers. 
  • Misconfigured cloud services. 
  • Services and devices that connect to the internet, including those that support remote work and Internet of Things (IoT) devices such as smart speakers or security cameras. 
  • Web and desktop applications, including cloud-based SaaS deployments or email services. 
  • Shadow IT, software that interacts with a company’s IT infrastructure but is not under their direct control. 

Even something as innocuous as extra code has the potential for expanding your threat surface. All code has the potential to include flaws, and if this code were exposed or left in a program, it may give an attacker another vector for targeting your IT network. 

By reducing your threat surface, you’re actively removing those attackable points, or improving their defences. With fewer attackable points, you’ll also have fewer alerts to manage and sort through. 

4. Tackle quick-win security updates

One of the easiest ways a company can improve its security posture quickly and efficiently is by focusing on adopting and following a few cyber security basics: 

  • Know your network: Understanding what devices, technology, software, and connections occur on your network is foundational to better cyber security. Learn the ins and outs of your IT infrastructure to better understand how an attacker might target it.  
  • Keep software up to date: Regularly patching and updating software can help eliminate vulnerabilities as software developers identify them. One 2019 study found that 60% of breaches were linked to an available yet unapplied security patch.  
  • Use stronger passwords: Weak passwords mean that attacks that target users are still remarkably effective. Take the time to ensure your company is following accepted best practices and using effective password management applications.  
  • Use a firewall: A firewall can prevent staff from accessing (intentionally or not) known malicious websites, actively blocking them from clicking those risky links.  
  • Educate and train employees: Humans are often the weakest link in security. Beyond stopping them from accessing known malicious sites and links, you’ve also got to deal with social engineering attacks that prey on distraction. Train employees to recognize the signs of a phishing attempt, what to do if they think they’ve ben compromised, and best practices for passwords and cyber hygiene. 

5. Prioritize alerts

What alerts and warnings are important to your organization? Determining what cyber threats would have the greatest impact on your organization is a great place to start.  

The high-profile anomalies in your system should be surfaced to your team immediately, but not all threats are created equal. Some can wait a few hours.  

Prioritization allows your team to triage alerts and make better use of their time. 

6. Adjust and fine-tune alert thresholds

Understanding the trigger for an alert can help you fine-tune when they are delivered to your team. For example, if an incorrect password entry is going to send an email alert to your team each and every time a staff member’s finger slips and hits the wrong key, then you’re likely going to have a very full inbox.  

Rethink the rules that trigger a security alert. In this case, multiple rapid incorrect password attempts may be a better indicator of a brute force attack. This can help reduce the number of false positives you deal with, in turn giving your team some breathing room to focus on genuine threats. 

7. Automate tasks where appropriate 

People make mistakes in the best of times. When faced with the constant noise of alert fatigue, mistakes become more likely and common.  

Wherever possible, take the time to automate threat investigation to take some of the burden off of busy team members.  

8. Enrich alerts with greater context

As alerts are delivered to your team, consider what information is being passed on to them.  

As an example, a traditional security alert may read, “Incomplete login session at 2:43 am on the 10.20.32.12.” Because a single alert takes, on average, about ten minutes to investigate, any additional information your alerts provide can save time and let your staff focus on remediation that much faster. 

In contrast, an enriched, contextual alert would tell you, “There is a sustained brute-force attack by thousands of remote IPs against the Remote Desktop Service located on DESKTOP-PC10 (10.20.32.12). It is advisable to immediately firewall this system from the Internet and implement a VPN-based solution for remote access.” 

Cut through the noise 

Cyber attacks aren’t slowing down any time soon. It’s more important than ever that your business cut through the noise to focus on the threats that matter most. But cyber security is always changing, and you may not have time to keep your finger on the pulse of the threat landscape.   

Instead, sign up for our newsletter below. You’ll receive the latest news about new and emerging threats, cyber security best practices and tips, informative webinar invites, and more! 

 

Request Demo

Fill out the form and we will send you details about our demo.