How Threat Intelligence Helps Security Operations Reduce Alert Fatigue
March 7, 2019 • Zane Pokorny
Whoever first coined the phrase “the more, the merrier” clearly did not have an overabundance of responsibilities in their daily life. In an age where a thousand pop-up alerts, tiny red dots, and all manner of chimes, bells, buzzes, and rings on our smartphones and computer screens compete for our personal and professional attention, the danger of alert fatigue looms constantly. Without knowing which to focus on and which to ignore, more alerts usually just means more misery.
Alert fatigue was first identified in the medical field, where doctors and nurses have to contend with constant notifications on their pagers (and yes, most hospitals still use pagers — their tech is a lot more reliable than cell networks) and the numerous alarms and alerts coming from various hospital machines. Many of those alerts can be ignored, but for the ones that can’t, it can be a matter of life or death for a patient.
The same is becoming true for IT security professionals — both the volume and the potential criticality of the alerts they see daily. The world is becoming increasingly digitized, and systems that contain sensitive data like health records or sensitive financial information, as well as systems that control essential infrastructure, like power and water grids, are connected to the internet and vulnerable to cyberattacks. In short, security professionals are overwhelmed.
In this blog, we’ll take a look at a few steps everyone can take to reduce alert fatigue in cybersecurity, including how threat intelligence that easily integrates into your already existing security framework has been proven to help.
Alert Fatigue in Cybersecurity by the Numbers
Recent studies, like this one from Cisco, show that the average cybersecurity professional ignores around 44 percent of the alerts they get every day. And of the 56 percent of alerts that they do look at, 28 percent are deemed legitimate threats, but only 46 percent of those are remediated. That means more than half of legitimate threats are left unresolved.
Beyond the immediate risk posed by those threats, there are severe business consequences to leaving those alerts unresolved. “Organizations that suffer even minor network outages caused by threats (much less broader security breaches) must wrestle with long-term implications to the bottom line,” that study notes. “For example, 22 percent of benchmark survey respondents told us they’d lost customers due to attacks; and 29 percent experienced a loss of revenue.”
Security professionals already work as hard as anyone, and with a well-documented staffing shortage in the industry, the answer is not to just hire more people (that isn’t a scalable solution anyway). So what can be done? We have to work smarter, not harder.
A Framework for Reducing Alert Fatigue
If only we could just shut our eyes and ignore all the alerts we see. But much like belief in Santa Claus, the “if I can’t see you, you can’t see me” approach to security is not really a conceptual framework that’s well supported by evidence.
However, there are a few real, proven steps to take that can help reduce alert fatigue. Reducing the raw number of alerts seen daily will definitely go a long way, but you can only cut so many out. We’ll start with a more abstract, high-level look at what to do — this list is modeled on a similar one suggested by the U.S. Department of Health and Services for reducing alert fatigue in healthcare:
- Increase alert specificity by reducing or eliminating inconsequential alerts.
- Tier alerts according to severity. Warnings could be presented in different ways, in order to notify team members of alerts that are more consequential.
- Make only high-level (severe) alerts interruptive.
- Apply human factors principles when designing alerts (for example, format, content, legibility, and color of alerts).
This list is a good starting point, but it still leaves us with a couple of questions. How do we decide which alerts are inconsequential and which need to be prioritized? And how do we judge severity quickly and accurately? There’s still a need for quick context.
This is where threat intelligence that updates in real time and easily integrates with the security systems you already have in place will provide a critical advantage.
Use Threat Intelligence to Get Context Fast and Prioritize Alerts
Threat intelligence is knowledge that provides context you can take action on — for example, an alert on an indicator of compromise (IOC) like a suspicious IP address can be enriched with threat intelligence that gives some history and background on that IP address, like whether it’s been associated with malware and how recently. So getting this context quickly can help security operations teams prioritize alerts much more easily and reduce false positives.
One solution is Recorded Future Express. It’s a new offering that includes our Browser Extension, which easily layers on top of all the web-based security applications you already use. The browser extension provides quick access to threat intelligence on any content you’re already looking at. Like in the example above, you can quickly triage any alert by looking up context around it.
Reducing alert fatigue is just one way threat intelligence helps security teams. To see other use cases, download a copy of our e-book, “5 Ways to Supercharge Your Security With Threat Intelligence.”