What is Alert Fatigue?
Cybersecurity practitioners experience alert fatigue when an overwhelming number of security alerts come through security systems, such as a SIEM, causing desensitization. Desensitization leads to missed or ignored alerts that may be true threats.
Security alerts come frequently and in rapid succession. Many of these alerts are false alarms. When an alert is investigated and determined to not be a threat, a security practitioner will categorize it as a ‘false positive’. Between understaffed security teams and millions of alerts potentially triggering every day, the security risks are significant. If an alert-fatigued employee assumes an alert is false, without adequately investigating the alert, or misses it altogether, there can be delays in incident response, increasing threat dwell time, and ultimately increasing the cost of a breach.
The term “alert fatigue” is not unique to the cybersecurity industry. Other professions, including IT practitioners, medical doctors, and nurses, experience alert fatigue when hearing or seeing alerts triggered from connected technology, such as medical devices, as well.
What are the risks associated with alert fatigue?
Alert fatigue causes cybersecurity professionals to inadvertently miss alerts, or miscategorize them as false alarms that do not require investigation. Alert fatigue can also slow incident response times and create burnout.
How can cybersecurity professionals avoid alert fatigue?
- Work with a Managed Detection and Response service provider (MDR)—One of the most common reasons for alert fatigue relates to the lack of sufficient staff to manage security operations center (SOC) activities. Companies can consider augmenting staff with support from a trusted managed detection and response provider.
- Ensure security technologies are integrated properly—Improperly integrated tools mean they may not be working correctly, creating false or incorrectly alerting.
- Prioritize alerts—Prioritize systems and risk areas to determine which alerts should take precedence.
- Automate—Where possible, automate processes and alerts to reduce the time necessary to manage the alerts.