Posted on Jan 4, 2021
Cybersecurity products are a vital part of your organization’s information security strategy, but there’s a problem with them: the number of alerts they generate.
Ask any analyst and they’ll tell you about the firehose of cybersecurity alerts they are faced with on a daily basis, and most of those alerts don’t actually signal a real problem. According to a survey conducted by the Cloud Security Alliance, only about 23.2% of threat alerts were real, meaning that 76.8% were false positives.
It’s no wonder that analysts can’t — and don’t — pay attention to every single alert they receive. According to the same survey, 31.9% of analysts don’t pay attention to alerts anymore because of the sheer number of false alarms, and 25.9% get more alerts than they can handle.
That’s a lot of alerts that are going unacknowledged and plenty of companies that aren’t as secure as they think they are. And the stakes are high; Ponemon’s Cost of a Data Breach report, just one breach can cost a company $3.92 million.
Fortunately, there are several ways to help your security teams reduce alert fatigue.
“Don’t get breached” is not a specific enough cybersecurity goal for most organizations. It’s important for your company to know exactly what assets it’s protecting from harm, and how those assets need to be secured. For manufacturers, the supply chain may need to be protected, while other organizations may focus on securing their Internet of Things, or protecting customer data. Having specific goals will help prioritize the alerts your team receives.
Once you know your goals, you can focus on the risks that jeopardize your most important assets. Knowing where your network is most vulnerable, who exactly might want to compromise it, and how they might go about it will help you set up targeted alerts.
With more than two thirds of default alerts being false positives, it’s clear that not every alert is a good alert. Prioritize your alerts by tuning your products so they give your team need-to-know data for your organization, and if you have gaps in that important data, find a product that fills those gaps.
Alerts should be relevant and easy to understand. If your team is getting byzantine alerts that don’t mean anything to them, or alerts that simply aren’t relevant, those alerts are simply making noise rather than telling you something you need to know. Better to not get them at all, and eliminate the extra noise.
Your team is human and makes mistakes. And they’re tired — they’re getting thousands of alerts. AI, on the other hand, never gets tired and rarely makes mistakes. Automate common analysis steps as much as you can, so that AI and other automated tools are weeding out the noise and passing on actionable alerts to human beings.
If your alerts come in piecemeal, that’s how they’ll be handled. Funnel all your alerts into a single workflow that all your analysts are tending to. That means every alert will be reviewed and handled in a timely fashion.
The Cloud Alliance survey found that 40.4% of analysts had a hard time responding to alerts because there was no actionable information to investigate associated with each alert. By providing context in every alert, your team will be better able to understand and quickly respond.
Alerts can be an annoyance, but by building context into each, you can present your team with a narrative, including the asset at risk, the threat and all the information an analyst needs to make a quick, informed decision about an alert.
Some false positives may be unavoidable. In those cases, start recording them and learning the pattern of false positives so you can better tune your products, and so your team knows more quickly which alerts may not be real and which need attention right away.
The best way to cut down on alerts is to cut down on threats. Make sure everyone at your company is well-versed in cyber hygiene, follow best practices, and make sure your networks and data are as secure as possible. When you’re running a tight ship, you’re likely to get fewer alerts.
Clear, relevant and easy-to-read alerts are important when you’re looking for actionable cybersecurity alerts.
SecurityScorecard’s Ratings are easy to read A-F scores that show you at a glance everything you need to know about your security posture from an outside-in perspective, context included. Our ratings continuously monitor metrics like endpoint security, network security, and application security, so you know what your vulnerabilities are, and can manage them in real-time. When you get an alert, we give you all the details you need, including a remediation plan for each issue. That information will allow your team to make a quick, well-informed decision about the alert and the threat itself.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.