An influx of false positive security alerts can lead infosec pros to overlook real threats. Learn how to avoid security alert fatigue and avoid its potential consequences.
Most organizations have a variety of defensive cybersecurity measures in place, including firewalls, intrusion detection systems/intrusion prevention systems, antivirus and other endpoint security tools that record, analyze and report on thousands of events every hour. This results in a nonstop flood of alerts that security teams must prioritize and investigate to discern whether the threats are serious.
Each alert requires a significant amount of qualified human resources that, for most security teams, are in short supply. This leaves those tasked with the job overloaded and enables true attack alerts to get lost in the noise of false positives.
Nearly half of respondents to a 2019 CRITICALSTART survey reported that 50% of alerts or higher are false positives. To address this alert fatigue, 57% of respondents tune specific alerting features or thresholds to reduce the alert volume, while another 39% simply ignore certain alert categories.
These approaches can produce disastrous consequences. One notable example of what happens when alerts are ignored is the Target data breach of 2013, where 40 million card records were stolen. Despite numerous alerts warning of the unfolding attack, Target did not react in time because similar alerts were commonplace and the security team incorrectly classified them as false positives.
As organizations’ data and IT infrastructures spread out across the cloud, the number of alerts is only going to increase and exacerbate the situation. It’s a difficult problem for CISOs, as the only plausible option is to reduce the number of alerts their team is required to inspect.
Triggering thousands of alerts daily that are never investigated or are casually dismissed as false positives add no value to security operations. It only creates opportunities for important alerts to be missed because there is not enough time to review them.
Reducing the number of alerts lowers the chance of false positives and improves alert accuracy: Any alerts that are generated will contain actionable insight to help the security team investigate them, including details on the chain of events that lead to an alert.
However, it is exceedingly difficult to create rules that narrow down anomalous events and threats to a manageable number of alerts, especially in security systems that cover all user activities. Machine learning and AI have long been touted as the future of detecting patterns of behavior that deviate from the norm, even in subtle ways. However, until recently, these technologies have struggled to stem the tide of alerts. New cloud-based approaches to offset alert overload are coming to the market that concentrate on producing less — but more significant — alerts based on their context.
CRITICALSTART, FireEye and Palo Alto Networks offer services that prioritize and present a contextualized alert. These alerts include details such as the root cause, the entire attack chain, the entities involved and a damage assessment that includes easy-to-digest graphics. With information about a potential problem presented in this format, security analysts can properly analyze and correctly respond to alerts.
Of course, it’s not just an organization’s security teams that must deal with daily security alerts. On an average day, employees at all levels are likely to receive some sort of alert to avoid opening a suspicious email attachment, to not click on a potentially malicious website, or to not share their passwords.
It’s important that employees pay attention to these warnings and reminders, but perimeter defenses should prevent most malicious inbound traffic from reaching the end-user to reduce the number of warnings their antivirus program needs to generate. Security awareness programs can help educate the user about how to evaluate and utilize the information received in the email or text notifications they regularly receive.
Security alert fatigue is so challenging because technology cannot eliminate human error entirely. But eliminating useless alerts and making the necessary ones more meaningful can prevent security teams from being overwhelmed with alerts that ultimately are overlooked or ignored altogether.
Feature in TechTarget Security | July 16, 2020
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.