The Hidden Cost of Alert Fatigue
As they become desensitised to a barrage of potential attacks, fatigued security teams are more likely to miss the subtle signs of an intruder within their system.
When, in early 2014, the cybersecurity team at Target, one of the world's largest retailers, noticed yet another alert about malicious activity on their corporate network, they ignored it. Because the generic alert looked just like one of the hundreds of false alarms that the team received every day, it was immediately written off as a false positive — part of the "noise" that their security solution generated. Unfortunately, the missed alert was genuine. Disregarding it resulted in a devastating data breach that affected 70 million people, cost Target over $252 million, and led to the resignation of the company's CIO and CEO. Since then, alert fatigue, the fundamental problem which led Target's IT team to pass over a genuine threat, has only gotten worse.
Long recognised as a significant threat to patient health in the medical sector, alert fatigue, the natural complacency that sets in when individuals are constantly bombarded with alerts, is now a regrettably common experience for IT teams. Although according to a 2018 Bricata infographic, large enterprises see up to 1.3 million vulnerabilities every month, only 36% of them are addressed daily. A further survey by FireEye found that 37% of C-level security executives at large enterprises received more than 10,000 alerts each month. Of those 10,000 alerts, 52% were false positives, and 64% of those were redundant.
With most alerts now meaningless, false positives are normalised, and a worryingly large number of genuine threats ultimately end up disregarded. As they become desensitised to a barrage of potential attacks, fatigued security teams are more likely to miss the subtle signs of an intruder within their system.
The Cybersecurity Paradox Fuelling Alert Fatigue
While the cost of global cybercrime is soaring, corporate security spending is also creeping upwards and is predicted to grow by at least 10% in 2021. Unfortunately, if past trends are anything to go by, much of this extra investment will likely lead to more technology rather than increased security.
In 2017, half of all enterprises were already using between 6 and 20 tools that generated security alerts. In 2019, the average CISO could point to up to 65 different security technologies in their environment. Meanwhile, the number of corporate data breaches has grown every year by double-digit percentages. This paradox highlights how, rather than bolstering corporate security postures, cybersecurity spending has been funnelled into overly complex security tool stacks, a trend that shows no signs of abating.
Too Many Alerts, Not Enough Time
Unless integrated and backed up by enough human resources, security solutions can create more alerts than data analysts can deal with, making alert fatigue even worse. Because it can take an IT specialist a considerable amount of time to figure out if an alert is an attack in progress or just a false positive, incoming alerts tend to build up, further jamming up IT workflows. Consequently, most analysts today spend more than two-thirds of their time investigating, triaging, and responding to alerts and have little time for analysing and remediating real security threats.
Perhaps inevitably, over a third of IT security analysts and managers end up ignoring alerts if the alert queue is already full. Some may even be tempted to shut off or turn down the sensitivity of noisy security tools altogether. Sadly, this status quo means that more than a quarter of all security alerts are never addressed, and the potential to miss malicious alerts is increasing.
The excessive noise that cybersecurity teams have to sift through is partly to blame for the length of time it takes the average organisation to uncover a data breach — now over 280 days. This disconcerting statistic shows how when alerts go undetected, a false sense of security is the result. As demonstrated by the Target hack, the repercussions of desensitisation can have disastrous consequences for organisations in all types of industries, including lost revenue, damaged reputation, and operational downtime.
About the author
David Atkinson, Founder and CEO, Senseon
Before moving into the cyber security industry, David spent over 15 years working within the UK’s specialist military units where he was the first cyber operative. His combined experience and technical abilities gained from his background in military, government and the private sector has led him to challenge the current approaches to cyber security and to create Senseon.
The Human Cost of Alert Fatigue
While alert fatigue decreases overall cybersecurity, analysts themselves are feeling the pressure too. More than a third of cybersecurity professionals admit to losing sleep due to cyberattacks on their organisations, and 96% feel a personal impact after a breach occurs. Unsurprisingly, about two-thirds of cybersecurity professionals have thought about leaving their job or even the cybersecurity industry altogether.
This churn isn't helped by the cybersecurity industry skills shortage that already affects about three-quarters of organisations. Overstretched and understaffed, cybersecurity specialists that aren't planning on leaving their roles are generally so overworked they don't even have time to stay up to date — most cybersecurity professionals spend less than 20 hours a year training. As cybercriminals continuously change their tactics, this lack of training can significantly reduce an organisation's security posture, further fuelling the rise in frequency and severity of cyberattacks.
Overcoming Alert Fatigue
As threat actors are becoming increasingly smarter and more technologically capable and the amount of noise cybersecurity teams have to sift through grows louder, the problem of alert fatigue is only going to grow.
Although companies can take some operational steps to reduce alert fatigue — like distributing responsibilities among both ops and wider developer teams and setting reliability objectives — the only real way to combat this rising negative trend is to invest in proactive defence that prioritises alerts reliably and automatically. Alternatively, because greater numbers of tools tend to spit out large amounts of data to be analysed instead of contextualising potential threats, ill-planned cybersecurity spending can make businesses more, rather than less, vulnerable to attacks.
A self-driving cyber defence platform, Senseon rewrites this status quo. Our platform can automatically detect, investigate, and respond to cyber threats, giving back valuable time to overwhelmed IT teams. Taking a data-first approach and blending multiple detection methods, Senseon uses human-like "AI triangulation" to reliably and transparently distinguish between benign and malicious activity. Dramatically reducing the workload for IT teams, this transformative capability gives organizations back their most valuable cybersecurity resource — IT professional’s time.