One of the biggest challenges faced by any SOC or security organization today is alert fatigue. There are only so many people on your team who can respond to and investigate so many alerts before they miss true attacks. It’s like the boy who cried wolf, only you have to imagine him yelling down to those villagers 10,000 times per day instead of once or twice. That’s a feasible scenario according to a survey of IT security professionals, which showed that 37 percent of respondents faced more than 10,000 alerts on a daily basis. With more than half of those alerts resulting in false positives, it won’t take long for the villagers, and your team, to face some serious alert burnout that affects your organization in more ways than one.
Ignoring Alerts Doesn’t Make Them Go Away
With so many alerts flooding in on a daily basis, it’s no surprise that some, or most, get ignored. A recent study from ESG Research revealed that 54 percent of organizations admit to ignoring security alerts that may have warranted investigation because they don’t have the time or resources to tackle them all. Ignoring alerts doesn’t make them go away, it passes the issue down to the next person to deal with, until the buck is passed so many times it could be months (like Equifax) or years (like Yahoo), before bringing an exposed breach to light. No responsible security professional wants to operate this way, but it becomes ingrained in the culture of your team because there appears to be no alternative.
Low-Quality Alerts Lead to Alert Fatigue
Low-quality alerts aren’t just a cause of alert fatigue, they can also be an ongoing result of it. Without the resources dedicated to continually updating systems to better identify new types of threats, or pull in better quality data, the team is still bogged down with low-quality or low-signal alerts that contribute to the mounting pile of potential attacks to sift through. A saying we repeat often here at Capsule8, especially when it comes to data quality and meaningful telemetry, is “The answer to more efficiently finding the needle in the haystack isn’t collecting more hay.” It becomes a cycle whereby you’re fighting today’s attacks with yesterday’s information because there is no one to help bring in this new technology because they are too busy trying to find today’s attacks with yesterday’s information, and so on.
Moving toward an SOC-less Enterprise
Even though most alarms are false positives, there are real attacks you need to worry about, and eventually, a real wolf is going to eat the sheep (or the boy, depending on which version of Aesop’s fable you read). Missing these real attacks are why a new breach hits the headlines almost every day, and why there is such a constant need to help solve the alert fatigue problem.
There are, of course, plenty of technologies that can help with this issue as well, but it can’t be a matter of throwing money or resources at the problem, especially with such a limited quantity of both already. One movement that is starting to take hold is the drive toward a SOC-less enterprise. Already adopted by huge companies such as Netflix, it’s a strategy that requires a fundamental shift in how an organization tackles security.
While full conversion to this approach will take a long time, there are a few changes we’ve discussed before that can help combat alert fatigue, such as focusing on telemetry data that can provide meaningful signals and not just noise. This can provide better quality alerts for your team to prioritize, instead of sifting through piles of low-quality, low-confidence alerts. An automated response will also help reduce alert fatigue, triggering alerts that need manual investigation or intervention only when necessary, so your team can focus on what could be most impactful.
Alert fatigue has a long-lasting impact on your team and your organization. The SOC model is broken, and without a significant shift in how organizations think about and approach security, it will always be a losing battle.
For more information on the current state of the SOC and how to fix it, read our article about moving toward an SOC-less enterprise.
Capsule8 is developing the industry’s first real-time, zero-day exploit detection platform purpose-built for Linux production environments – whether containerized, virtualized or bare metal.