It turns out that alert fatigue is not unique to cybersecurity - who knew? Given the fact that alert overload is a problem across industries like healthcare, manufacturing, transportation, and utilities, you’d think that we in the cybersecurity industry would have some better tools and insights about how to handle it. Unfortunately, that’s not the case.
This is why Andrew Morris, founder and CEO of GreyNoise, pulled together his thoughts on the topic and shared them in a guest blog for IOActive. The post is titled “Cybersecurity Alert Fatigue: Why It Happens, Why It Sucks, and What We Can Do About It.” In the article, he covers the main contributing factors to alert fatigue for cybersecurity practitioners, the impact it has on analysts and SOC teams, and some thoughts about addressing the problems at multiple levels.
You know you might have an alert fatigue problem if any of these technical causes of alert fatigue sound familiar:
- Overmatched, misleading, or outdated indicator telemetry
- Legitimate computer programs doing weird things
- Poor security product UX
- Expected network behavior is a moving target
- Home networks are now corporate networks
- Cyberattacks are easier to automate
- Activity formerly considered malicious is being executed at internet-wide scale by security companies
- The internet is really noisy
And all of these factors are made worse by a SOC ecosystem that’s not set up for success. This includes vendors who sell on fear, build products that don’t play well with others, focus only on the signal (not the noise), and price their products in ways that drive them to raise as many alerts as possible. And SOCs are equally culpable, putting enormous pressure on analysts to catch every single attack in an environment where the alert volumes just keep growing, and half of them are false positives. Is it any wonder that security analysts exhibit serious alert fatigue and burnout, and that SOCs have extremely high turnover rates?
Please check out the blog post here to learn more about the causes of alert fatigue, why it sucks, and what we can do about it.