How to Fix Security Alert Fatigue (And Yes, it is real)March 20, 2022 - 2 min read
The Security Alert Fatigue Problem is Real
According to a recent Dimensional Research report (2020), “56% of Large Companies Handle 1,000+ Security Alerts Each Day.” And year–over–year the problem is getting worse. “Seventy percent said the volume of security alerts they receive on a daily basis have more than doubled in the past five years.” Naturally this puts stress on the security staff. “Most (93%) said they cannot address all alerts in the same day.” This exponential growth in the sheer volume of alerts and the staff shortages to manage them all contribute to alert fatigue. Alert fatigue has now become widespread across enterprise security teams – “83% said staff has alert fatigue.” (Dimension Research Report 2020)
Five Practical Steps to Beating Alert Fatigue
There is light at the end of the tunnel. Recent innovative approaches and technologies can help alleviate the causes of alert fatigue at the source. Here are five practical steps you can take today:
- Take Out the False Positives – The bad news is that while automated scanning tools have dealt with the problem of identifying vulnerabilities at scale, they have also created the alert and noise problem. Automated tools cannot rule out the false positives so manual validation is still necessary. Fortunately, there is a new breed of Vulnerability Management platforms that offer integrated expert vulnerability assessments. They can assure virtual false-positive free alerts, preventing additional strain on your internal security staff. This hybrid model integrates both automation and human validation. Alert fatigue is too often accepted as status quo, but it does not need to be. In 2022 there is no reason for any team to spend limited resources on chasing false positives.
- Aggregate Your Alert Dashboards – While automated scanning tools have evolved, they continue to be siloed, IT layer-specific point solutions each with their own specific alert dashboard. Its far less efficient and more time consuming to constantly scan and analyzing multiple dashboards. It also takes more effort to compile aggerated reports on your total security posture to deliver to management. Even worse than sucking staff bandwidth – and assuming you do have adequate staff – this lack of efficiency and increased time can slow the actual remediation time. But again there is no reason in 2022 you have to live with multiple alert dashboards and allow it to impact your remediation times. Again, there are innovators that have consolidated one single dashboard of truth for each layer of the IT stack to make Alert Management much more efficient and lower your remediation times.
- Contextualize – Deciphering which vulnerabilities have the largest business impact and need immediate attention can also create alert fatigue. Standards are shifting to pre-built technologies that contextualize each alert based on what business impact it may have on your organization. Its far more efficient to see the most significant risks on a single dashboard and immediately perform strategic remediation actions.
- Closure Through On-Demand Pentests – Another dimension to alert fatigue is at the validation level. When a pentest is performed and the fix on the vulnerability is validated, one wants to be confident that it is in fact resolved. To achieve this, one should confirm that the pentesters themselves are in fact seasoned security professionals and they are familiar with your business processes and how your security posture provides resilience within the context of your operations. To reduce turnaround times and ensure continuous coverage, enterprises are moving to on-demand Penetration Testing as a Service (PTaaS) models.
- Pivot from Alert Fatigue to Remediation Superstars – According to the 2022 Edgescan Stats Report, the mean time to remediate (fix code) at critical risk at the Web Application/API layer is 47.6 days and the mean time to remediate (patch/reconfigure) Device/Host Layer Critical Risk is 61.4 days. You want to focus on fixing things and fixing them quickly. To pivot your team from alert-fatigued soldiers to resilience enablers, you will need to shift focus from collating and validating results to remediation. And there are practical steps you can take to achieve this. Perhaps the most important step is to integrate the intelligence and remediation guidance into the workflow and support systems of your IT staff. This ensures that your accurate guidance will be in the hands of the support staff to resolve these issues and will lower the overall remediation time. The good news is that the industry is pivoting to vulnerability tracking tools that come pre-built with integrated hooks into common support systems to make this integration that much easier.
In Summary – The Pivot from Fatigued Soldier to Dragon Slayer
As the scale of automated tools has risen, so has the number of erroneous alerts per week. Just by taking action on these five basic steps, your team can recover from alert fatigue. The difference on staff psychology will be game-changing.
Want to learn more about Achieving Virtual 100% False Positive-Free Alerts? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?