Alert Fatigue Sabotages Security Operations, Threat Intelligence Provides the Antidote (Part 1)

Posted: 23rd May 2019

This is the first blog in a three-part series examining the impact of threat intelligence on security operations teams. In this blog, we’ll discuss how the overwhelming number of threat alerts that security operations teams receive can cause alert fatigue to set in and how threat intelligence provides the antidote to mitigate the situation. The next two blogs will look at how context improves threat triage and how threat intelligence maximizes time spent on diagnosis and mitigation.

Alert Fatigue Sabotages Security Operations

Cyberattacks are sharply on the rise. Businesses have seen a 350% increase in ransomware attacks, a 250% increase in spoofing and email compromises, and a 70% increase in spearphishing.

And with threat actors increasing the sophistication of attacks, security teams keep adding new types of threat detection methods, processes, and technologies to their environment. The additional defense mechanisms make it possible to build a stronger security posture, but with every tool sounding an alarm every time it identifies anomalous or suspicious behavior, security teams find themselves dealing with an overwhelming amount of alert, event, and incident data.

It’s a lot like turning on a fire hose for someone dying of thirst — security analysts are simply unable to review, prioritize, and investigate all the alerts. In many cases, valuable time is wasted chasing false positives.

This can lead to alert fatigue, where security teams may begin to think that some of the threat detection tools they are using are just like the boy who cried wolf. Legitimate alerts are either missed or ignored, and investigation mistakes are made. Valuable digital assets may then end up being compromised, and sensitive data may be stolen.

The Extent of Alert Fatigue

Research conducted by analysts and technology providers confirms the magnitude of the security alert fatigue problem:

  • ESG found that the biggest challenge for 35% of security teams is keeping up with the sheer volume of alerts.
  • Exabeam revealed that 45% of security professionals think their security operations centers (SOCs) are understaffed.
  • Exabeam also found that 63% of SOCs could use anywhere from two to 10 additional employees.
  • Cisco discovered that organizations are able to investigate only 56% of security alerts.
  • Cisco also determined that among those alerts, only 34% are deemed legitimate.

As these statistics demonstrate, security teams are simply too understaffed to effectively process all the alert information they receive.

The Antidote for Alert Fatigue

The antidote for alert fatigue is to integrate internal security alert systems with a threat intelligence platform that taps into strategically-chosen external intelligence sources. By bringing together data generated by SIEM and EDR solutions with data from the dark web and other difficult-to-access threat intelligence sources, security teams can gain context into the potential threat level that each alert represents.

This, in turn, generates several key capabilities:

  • Filter Out False Positives: Know which alarms can truly be ignored.
  • Speed Up Triage: Prioritize investigations based on the likelihood of a weaponized attack and the impact mapped to the value of the threatened IT assets.
  • Simplify Incident Analysis: Determine quickly what has already been impacted, protect other vulnerable assets, and contain the damage.

These capabilities go a long way in reducing alert fatigue and improving the ability of the security team to raise and maintain the security posture of the organization. This way, security teams can more easily and accurately identify which alerts are inconsequential, which alerts need to be prioritized, and the overall severity of threats.

The Benefits of Threat Intelligence

Watch the video below to learn more about how Recorded Future enables analysts to more quickly resolve or escalate incidents:

Advanced threat intelligence delivers context that security teams can take action on. As an example, an alert on an indicator of compromise — like a suspicious IP address — can be enriched with history and background on that IP address. This includes whether the address has been associated with malware and how recently it has been used to do its dirty deeds. Generating this context quickly helps reduce false positives and makes it easier to prioritize mitigation and remediation activities.

Most of all, the threat intelligence platform helps eliminate alert fatigue, a situation every security organization faces on some level. Any security team will thus be more mentally rested and ready to respond when critical threats to digital assets occur.

For information on how to use threat intelligence to help your security team reduce alert fatigue and become more efficient at mitigating threats, request a personalized demo today.