Alert Fatigue Is Becoming a Security Threat of Its Own

Alert fatigue and its related effects on SOC efficiency are self-evident problems. Less obvious and more complex are the cause, effect and possible solutions to these problems.

SOC analysts are inundated with a huge and continuous volume of alerts generated by security tools. Each alert is often meaningless absent correlation with other alerts. But finding relationships is time-consuming, and even if found, might be irrelevant to business security. Much of the alert volume is simply noise, but attempting correlation to find true positive alerts (signals) from the huge number of false positives (noise) is difficult, boring, and often pointless.

The reasons are numerous:

Absence of automated prioritization. Security tools are great at detecting alert signals but poor at prioritizing them. Alerts sometimes arrive with a score. “A tool might say, ‘I found a threat. The score is 32 out of 100’,” comments Obbe Knoop, founder and CEO at Lanxit. “What does that mean? What does a score of 100 out of 100 actually mean? Why give it a score of 32? Without context it is meaningless.”

Absence of alert context. Alerts suffer from a paucity if not complete lack of context. An alert might suggest the presence of a vulnerability and appear to be urgent; but full context might indicate that this device in that location has no outgoing connectivity and zero relevance to business continuity. It can be noted and queued behind more genuinely urgent alerts. It all depends on having accurate and full context to understand relevance.