Beep, beep, ding, ding – the origins of alert fatigue.
Alert fatigue is not a new phenomenon. It occurs when cybersecurity professionals become desensitized after dealing with an overwhelming number of alerts, so they start to overlook or ignore them and have slower response times. In most cases of alert fatigue, employees fail to respond in time because of the burnout they experience from alerts and notifications.
Alert fatigue is believed to be a major cause of the 2013 Target Data Breach that led to the theft of the credit card and personal information of about 40 million customers. It’s a concern for many businesses and needs serious attention. But how do you mitigate alert fatigue? Let’s find out.
A real struggle for cybersecurity professionals
The term alert fatigue was first coined in 2004 by The Joint Commission, a US-based non-profit hospital accreditation organization, to declare clinical alarm effectiveness as a standard for hospitals. It has since become popular for many businesses dealing with alerts, including cybersecurity.
While ignoring messages or app notifications may not negatively affect your daily lives, the ramifications can be severe for cybersecurity professionals and their organizations. According to RiskIQ's 2021 Evil Internet Minute Report 1, cybercrime costs businesses a whopping $1.79 million every 60 seconds.
A survey in 2018, just four years ago, found that 27% of IT professionals receive more than 1 million security alerts daily (pause and let that sink in), while the majority (67%) are bombarded with 100,000 alerts daily. SMEs are not spared the alert deluge either – hit with 4,000 cyberattacks every day.
And this number isn't expected to drop anytime soon. A related study from the same year found that alerts are increasing, and security personnel can only process an average of 12,000 alerts per week.
The great cybersecurity resignation
It’s not surprising that cybersecurity professionals are facing burnout. Even with a sizeable team, handling 2,000+ notifications a day is mentally taxing. Imagine being in firefighter mode every 8 hours of a typical workday, sometimes even longer.
A recent report by Panther Labs found that up to 80% of security engineers suffer burnout. Additionally, 45% of respondents to Deep Instinct's third edition of the annual Voice of SecOps Report 2 consider leaving the industry altogether due to stress. Forty-six percent of the same respondents said they know at least a peer who left cybersecurity in the past year due to stress.
Chief information security officers (CISOs) are burning out and quitting at an even more alarming rate. Forty-nine percent of 1,000 respondents from the same report are considering leaving the industry due to increasing stress levels.
It’s not just about people leaving their jobs but the damage to the industry itself. The industry is losing talent for good, and there's unlikely to be an equitable replacement rate for them. Even though more people are entering the industry than leaving it, it takes time for new entrants to get up to speed.
Not all alerts are created equal
So why are there so many alerts? Monitoring tools such as Cloud Security Posture Management (CSPM) and Security Information and Event Management (SIEM) issue alerts when anomalies are detected within a cloud infrastructure. However, not all alerts require action, or at least not immediately. Some alerts indicate minor problems that can be fixed later or even ignored.
Then there are false positives, which account for nearly half (45%) of all cybersecurity alerts, according to a report published by Fastly in 2021. False positives are alerts that indicate an attack, vulnerability, or risk when none actually exist.
Think of it as a false alarm or the boy who cried wolf. For example, older legitimate files with missing security certificates can be flagged as malicious.
Similarly, an alert may be issued indicating a suspicious login by an employee from an unknown location when the information security (IS) team is unaware that the employee is there on vacation.
To minimize such alerts, you can use a least privilege policy and only share access to non-threat-prone apps and data. You can also use a zero-trust model and completely restrict access to threat-prone or critical apps and data.
The Fastly report also found that 75% of organizations spend as much time, and sometimes more time, on false positives than on actual attacks. These false alerts cause the same amount of downtime as real attacks.
The problem with false positives isn’t that they exist, but:
- The sheer number of them
- Each requires time and effort to review, investigate, and verify to ascertain if the attack, threat, or vulnerability is real.
These are the root causes of alert fatigue.
Imagine a faulty fire alarm system going off repeatedly in your home. The first time it wails, you thoroughly comb every corner of the house to ascertain if there’s a fire and where it is. You may do this for a few subsequent alarms, but eventually, just decide it’s not worth your time to investigate another alarm and ignore it.
In the same way, cybersecurity professionals may eventually completely ignore or miss important alerts that indicate a real threat or attack due to alert fatigue. Then there’s the consideration of which alerts are more important and need to be prioritized.
Some organizations use disparate systems to monitor their cloud infrastructures, meaning each system gets its fair share of alerts. These often have multiplicative effects, leaving cybersecurity professionals drowning in a vast ocean of alerts.
4 recommendations to prevent alert fatigue
You can’t eradicate false alerts, unfortunately. Finetuning monitoring rules helps reduce them, but the reduction is insignificant at best. However, using a CSPM and other monitoring tools can help cybersecurity professionals contextualize the alerts or provide sufficient information for factual investigation and threat mitigation.
Another possible countermeasure is to provide easy one-click remediation so security staff can quickly and easily mitigate common threats or even provide step-by-step instructions on how to remediate these threats.
Below are some features to consider in a CPSM tool to help reduce alert fatigue for your security staff.
1. Contextualize alerts
A CSPM should allow you to quickly identify and zoom in on suspected assets to understand the context of the threat in light of configuration and activity perspectives associated with event severities.
This significantly reduces the time required to investigate each alert. You can quickly identify and dismiss a false alert, take immediate action to mitigate the threat, or remediate the vulnerability.
2. Provide actionable insights
Prevention is always better than cure. Why wait for the alerts to come through? Imagine seeing a history of all changes made to your multi-cloud environment, each accompanied by an actionable insight that helps you know of potential threats to your cloud infrastructure and even guides you on taking proactive action to mitigate the potential threats.
Having such a feature will also allow your organization to stay audit-ready for international standards such as ISO 27001, SOC 2, industry-specific and territorial standards such as PCI DSS for the payments industry, Singapore's MAS TRM, Indonesia’s POJK 38, Australia’s APRA, and the Thai PDPA.
3. Custom rules and threat level flagging
Every organization has unique security and business needs; yours is no different. You may have some in-house security rules to monitor. Some organizations also have cloud assets more important than others compared to their industry peers.
You can reduce alert fatigue by monitoring these in-house rules and assets, setting the right criticality flags for each, and prioritizing them. For example, you may want to get alerts whenever there’s any change on an AWS S3 bucket containing Personal Identifiable Information (PII) data.
Going further, a CSPM should allow you to create monitoring groups where you can specify the criticality level and automatically apply it to other flagged critical assets in your organization. This will help you reduce alert fatigue.
4. Quick remediation of threats and vulnerabilities
Your security staff should also be able to quickly and easily remediate common and minor vulnerabilities and threats and receive step-by-step instructions on mitigating specific vulnerabilities.
In fact, selecting all common and minor vulnerabilities and then bulk-remediating them with a single click of the mouse will significantly reduce the time your security staff spends on remediation.
Another way you can help your security staff stave off alert fatigue and upskill simultaneously is by ensuring that the CSPM tool offers step-by-step instructions for remediating vulnerabilities. For example, your security staff may choose to remediate common and minor vulnerabilities with the one-click option while using the step-by-step playbook for more complex remediations and learn from that.
Stay alert, but not too much
Alert fatigue is a real problem facing the cybersecurity industry today. Not only does it weaken your organization’s defenses against an increasing number and growing sophistication of cyberattacks, but it also takes a severe toll on your security staff's mental well-being.
Alert fatigue has caused numerous real-life examples of breaches. Many professionals are actually leaving or thinking of leaving the industry altogether. This doesn’t bode well for the cybersecurity industry as a whole, given that cloud adoption is on the rise and the need for such talents is dire on a global scale.
While we have to admit that alert fatigue can never be eradicated, we can at least do our utmost to minimize the rot, so to speak. Introducing and adopting a good CSPM tool is one good way to do just that.
This problem needs to be resolved ASAP and not be left to fester.
Cyberattack incoming! Find out what to do when you have a data breach and prevent future breaches.