Introduction to Alert Fatigue
Alert fatigue and its related effects on Security Operations Center (SOC) efficiency are self-evident problems. SOC analysts are inundated with a huge and continuous volume of alerts generated by security tools. Each alert is often meaningless absent correlation with other alerts.
But finding relationships is time-consuming, and even if found, might be irrelevant to business security. Much of the alert volume is simply noise, but attempting correlation to find true positive alerts (signals) from the huge number of false positives (noise) is difficult, boring, and often pointless.
Cause of Alert Fatigue
The reasons for alert fatigue are numerous: absence of automated prioritization and absence of alert context. Security tools are great at detecting alert signals but poor at prioritizing them.
Obbe Knoop, founder and CEO at Lanxit, comments,
A tool might say, ‘I found a threat. The score is 32 out of 100’. What does that mean? What does a score of 100 out of 100 actually mean? Why give it a score of 32? Without context it is meaningless.
Jeff Reed, CTO at SentinelOne, summarizes:
Alert fatigue isn’t necessarily the volume of alerts, but rather the relevance of the alerts.
Effects of Alert Fatigue
Criminal use of AI is increasing the pace, sophistication, and stealth of attacks. Attackers are increasingly using AI to scale their operations – analyzing stolen data faster, generating more convincing phishing campaigns and automating parts of the intrusion process.
The result is continuous growth in the volume of alerts. Defensive use of AI simultaneously increases the attack surface that bad actors can target.
Ariel Parnes, former colonel at IDF 8200 Cyber Unit, and current co-founder and COO at Mitiga, believes the solution to alert fatigue is to increase rather than decrease the alerts, but to more clearly surface and correlate associated alerts for the analysts.
Solutions to Alert Fatigue
There are two obvious approaches to prevent alert fatigue: reduce the number of alerts by formal filtering to improve the signal to noise ratio, or improve the speed and efficiency of triaging through AI-assisted automation.
Ismael Valenzuela, VP of threat intelligence at Arctic Wolf, agrees with the principle of using automation to give SOC analysts more time on threat investigation rather than continuous and repetitive alert triaging.
Michael Brown, Field CISO at Presidio, adds,
Analysts should not be working on any raw alerts, only correlated incidents. This enables much faster investigations and remediations while reducing staff burnout and attrition.
Context in Alert Fatigue
Everybody accepts that alert context is necessary for accurate correlation and prioritization, but there is little definition over what constitutes and what provides the necessary context.
Valenzuela links it to divergence from normal.
Effective noise reduction requires… understanding which assets are truly at risk and establishing what normal and abnormal look like in their specific environment,
Rob Demain, CEO of e2e-assure, suggests that context can be understood by the analyst after AI has removed the humdrum layer of analysis.
Toby Lewis, global head of threat analysis at Darktrace, also concurs. He accepts that extracting context from the noise is humanly difficult.
Brown provides a more complete description.
Mature SOCs auto-enrich their raw alert data so that analysts start their investigations with the context already assembled.
Source: SecurityWeek