According to a 2015 Ponemon report, an organization could receive 16,937 malware alerts per week, of which only 3,128 (19%) were deemed reliable; the rest were considered to be false positives. And of those deemed reliable, only 705 (22.55%) were investigated.
Those numbers are only for malware alerts. It doesn’t include alerts for guessing passwords, attempts to access root accounts or disabled accounts, installing new service, or any of the other alerts generated by the many security tools used within an organization, including IDS/IPS or SIEM solutions, endpoint security systems, firewalls, and anti-virus and APT detection software.
This tsunami wave of alerts—many of which are false positives—results in alert fatigue, a sense of frustration, overwhelm, and desensitization to what is perceived to be unmanageable.
How alert fatigue works
You’ve most likely experienced alert fatigue in your daily life. Your phone rings for the 100th time while you’re trying to prepare a presentation. Or you look at your email inbox and see that 50 new messages arrived while you were in a one-hour meeting and you need to now go to another meeting. So you ignore the ringing phone or the emails.
And that is a normal way for reducing stress—remove from awareness any unpleasant reminders of what is causing you to feel frustrated or overwhelmed. Desensitize yourself.
But, alert fatigue in your personal life has far less consequences than alert fatigue for a security team. Remember Target’s 2013 data breach? Its security team received malware alerts before any data was stolen, but ignored them because they’d received too many of those types of alerts in the past and all were false positives. Except, in this case, the alerts weren’t false positives. Target is still settling lawsuits for that security breach.
Factors leading to alert fatigue
Complex IT environments—Today’s organizations have a global footprint of IT resources (including databases, and cloud, virtualization, and big data sites) and countless applications, requiring a variety of security tools to protect those resources and applications. As a result, you must monitor an ever-increasing number of alerts generated by all those security tools.
Lack of context—Alerts arrive, usually in someone’s email inbox, without any context or actionable information. For example, an alert indicates a virus was detected on an endpoint device, but doesn’t indicate whether the virus was accidentally downloaded from an email or malware-infected website or intentionally injected as part of an attack. As a result, you clean the endpoint device, but receive seemingly unrelated alerts about viruses on other endpoint devices. You feel like you’re in a never-ending wash-rinse-repeat cycle.
Alert redundancy—Different security tools may be issuing alerts for the same issue.
False positives—If different security tools are issuing alerts for the same issue, and the issue is not really an issue, it’s human nature to assume that all similar alerts are also false positives. Again, remember Target?
Delivery Issues—Too often, alerts are blasted out to everyone on the security team. If everyone is responsible for responding to the alert, it’s human nature to think that someone else is taking care of the issue. And the alerts keep coming because no one is investigating the issue.
Impact of alert fatigue
Some of the more common impacts of alert fatigue are:
- Treating the alert as noise to be ignored, as the brain adjusts to the constant stimulation of the alerts. How many times have you ignored a blaring car alarm because you ‘know’ it’s much ado about nothing?
- Missing critical events due to needing to manually sort through both valid and invalid alerts.
- Losing data integrity, confidentiality, or availability due to lack of a timely response to a valid alert.
- Increasing anxiety and low morale as people focus on firefighting (responding to alerts) rather than improving services.
In addition, too many alerts can result in:
- Increased costs and wasted time conducting manual investigations and responses on false positive alerts.
- Overflowing email inboxes as each security tool sends its own alerts.
- Decreased ability to connect the dots, especially since most security tools treat alerts as discrete events.
Mitigating alert fatigue
As more organizations have a global footprint of IT resources (including databases, and cloud, virtualization, and big data sites) and use a variety of security tools to protect those resources, mitigating alert fatigue requires reducing the noise-to-signal ratio through fewer, but more accurate alerts. A few ways to do that are:
- Conduct data discovery and classification to determine where your sensitive data resides and assess the level of risk to its integrity, confidentiality, and availability.
- Conduct a behavioral analysis to create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; and then spotlight the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.
- Create a scale of alert levels, defining priority, notification and escalation channels, and responses.
- Adjust anomaly-detection thresholds, based on the risk classifications, behavioral analysis, and alert levels to ensure receiving the types of alerts you want to receive (e.g., compromised file scans, failed login to root accounts, phishing attempts).
- Consolidate and simultaneously run network, application, and file scans in order to see issues across the environment.
- Use context-based access control (CBAC) to authenticate both the user and device to control what a user can see or do. For example, an authorized user accessing sensitive data from a personal tablet can see/do less than if he or she accessed that data from a corporate-issued laptop.
- Use a single platform (rather than email) to collect alerts from the organization’s security tools. Ensure that the tool can contextualize the alerts—the source, user, and activity leading to the alert. This helps determine whether multiple alerts are from the same source, user, or activity, which may indicate malicious activities.
- Automate alert investigation and escalation to deal with some of the more common alerts (e.g., failed logins, phishing attempts, malware detection)