Security on Auto-Pilot? How Threat Intelligence Tools Combat Alert Fatigue
In November 2013, analysts in a Bangalore security operations centre for Target received a number of malware alarms. The alerts later reached Target security staff in Minneapolis and were promptly dismissed as false positives.
By 2017, the company had paid $292 million over settlements and costs for a breach exposing millions of customers’ financial records—a breach that could have been avoided had those malware alerts been escalated.
This is just one example of the tragic consequences of alert fatigue—a major issue that continues to plague corporate security professionals.
Security teams are bombarded with thousands of alerts every day, many of them false positives. As analysts face resource constraints and alert desensitization, legitimate security risks inevitably slip through the cracks.
Without addressing alert fatigue, organizations are more likely to overlook costly security threats as the risk landscape grows. A persistent cybersecurity skills shortage could also worsen as the issue causes more staff turnover.
Companies must invest in threat intelligence tools that leverage automation to alleviate overburdened teams and respond to digital risk more effectively.
What is the impact of alert fatigue, and how can automation address this issue?
The Current State of Threat Detection
A recent Forrester report sheds some light on just how dire the alert fatigue situation is. Security teams, on average, receive over 11,000 alerts each day, almost a third of them false positives. Only 72% are addressed at all due to time constraints. Many security operations teams are also unable to meet standard benchmark KPIs for threat detection.
This might seem less surprising when you consider how threat intelligence tools currently support security teams. According to the same report, only 13% of surveyed organizations use machine learning and automation processes, and 20% of alerts are manually analyzed and triaged. What’s more, security teams juggle 10 different threat intelligence tool categories on average to do their jobs.
These stats are even more distressing when you factor in the cybersecurity skills shortage, which industry research suggests is only getting worse.
What Alert Fatigue Means for Your Organization
These processes have a number of implications for your workforce and security profile.
Alert fatigue means that critical risks are more likely to be overlooked. Alert overload leaves your organization lagging behind with a reactive rather than proactive approach. This can have a huge impact on an organization’s risk profile, incident response strategy, and total damages in the event of a breach.
Alert fatigue also takes a major toll on cybersecurity personnel—and not just because they’re overworked. The nature of their job is highly stressful, especially when scores of private information and potentially millions in corporate damages are on the line.
As the threat landscape evolves, alert fatigue is likely to have a larger impact on org-wide digital risk protection in the coming months and years.
For one, digital attacks are only expected to increase, especially as threat actors capitalize on real-world events like COVID-19 to target public and private sector organizations. (The FBI has reported a 300% increase in daily cybersecurity complaints since the pandemic started.)
Digital risks also involve a wider variety of corporate roles. Beyond cybersecurity teams, marketing, PR, legal and compliance, fraud prevention, business development, and even physical security teams are all adopting threat intelligence tools as risks diversify online. Alert fatigue needs to be addressed before it spreads to other departments.
How to Treat Alert Fatigue
At the end of the day, threat intelligence tools need to reduce the number of alerts security teams see.
The goal is to reduce alert numbers but improve their quality, reducing false positives and apathy towards alerts that may be real threats. Alerts should be more meaningful and substantiated with context, connecting the dots across multiple sources to create a comprehensive threat profile. This can be achieved with threat intelligence platforms that prioritize automation and machine learning.
For example, these capabilities can:
- Automatically detect and prioritize specific content categories, like data disclosure, within threat data from online data feeds. This allows analysts to spend less time analyzing content, especially from open source feeds like the dark web, manually.
- Cross-reference data sources to extract cyber threat intelligence and validate alerts before they reach human analysis. This is also called extended protection and response (XDR).
- Automate deduplication processes.
With intelligent technologies, the goal is not to eliminate the need for human analysts, but to free up their resources where machines can take over.
Beyond automation, vulnerability management teams must also reevaluate their entire toolkit. Multiple tools are necessary for a holistic solution, but where possible, functionality and intelligence feeds should be integrated to avoid silos and keep processes streamlined.
Security alerts should also reach the right people when they sound, and be centralized in an open communication channel rather than hitting multiple private inboxes.
The Echosec Systems risk portal—an example of a threat intelligence tool with a collaborative interface, allowing multiple users to track security risks in one central hub. The risk portal enables organizations to monitor digital asset threats in real time with machine learning and automation.
Alert fatigue is not just a technical problem—it’s also a human problem.
Organizations must learn to recognize signs of alert fatigue and make process and software decisions to support their workforce as early as possible. As digital risk expands, machine learning and automation are crucial for analyst productivity and well-being—and ultimately for strengthening your organization’s risk profile against costly attacks.
At the time of Target’s 2013 data breach, the company was investing millions in its data security program and was even PCI-compliant. Lesson learned: your security infrastructure, no matter how robust, can easily break down when analysts are alert-fatigued.
Is your cybersecurity team drowning in alerts?
Contact us to integrate more automation into your strategy.