How to Manage Security Alert Fatigue, Threat Response Best Practices

May 10, 2016
Duane Kuroda

According to a recent BakerHostetler Data Security Incident Response Report, it takes an average of seven days for security teams to contain threats once discovered. That’s seven days where critical data is leaving an organization and threats are spreading. Most of that time is due to an inundation in security alerts.

Organizations are purchasing more security tools to reduce the time between compromise and detection; however, those same tools have doubled or tripled the security alerts flooding into security teams. As a result, pressure has increased to process more alerts with the same or fewer resources. This translates to long response times or skipping steps in the process.

The volume and inefficiency in processing those alerts leads to alert fatigue – the condition where security teams become blind or error prone from attempting to process so many alerts. When this sets in security teams cut corners, make mistakes, ignore entire classes of alerts and make simplifying assumptions without enough data. Our informal conversations reveal up to 90% of security alerts are completely ignored.

Organizations attempt to mitigate alerts by hiring more employees, specialized staffing functions, bringing in a range of consultants, and even creating specialized filters. Most of these tactics aim to limit human delay, automate manual data collection and reduce human errors. One such mitigation attempt requires specialized software development skills.

When available, developer resources create script and API level integrations to automate tasks. While effective, our interviews with security teams reveal a hidden developer risk. Unfortunately organizations are forced into design, build, and maintenance cycles that aren’t part of their security plan. This includes updating systems during vendor release cycles and dealing with staffing changes that can impact their custom tools.

Each mitigation attempt comes with a set of risks and dealing with alert fatigue does not have a trivial solution. Join us tomorrow for a “Managing Security Alert Fatigue” webinar at 2 p.m. ET/11 a.m. PT with Michael Osterman from Osterman Research. You’ll learn actionable tips and tricks to help you gain control of your incident response process and stop advanced threats.