How to Fix Security-Alert Overload

The technology exists to remedy alert fatigue. So why aren’t companies using it?

false positive alert

What’s one of the biggest obstacles plaguing your security team? If it’s an abundance of alerts, you are not alone.

Alert overload is the subject of a new study released by Ovum, a research and consulting firm, which surveyed bank security chiefs. According to the report, 37% of banks face 200,000-plus security alerts each day.

Of course, it isn’t humanly possible to sift through thousands of red flags. (SC magazine cites an April 2017 study called “A Day in the Life of a Cyber Security Pro,” which found that 79% of security teams feel overwhelmed by the volume of alerts.) This puts SecOps departments in the dicey position of deciding which threats are worth pursuing and which are false alarms. That is a costly gamble, because they can guess incorrectly.

“Volumes of alerts will continue to climb until organizations implement the appropriate technology and overlay them with operational innovations that allow the organization to rapidly sift through the mountains of data to find the actionable alerts,” Wells Fargo CISO Rich Baich tells American Banker.

chart courtesy of Ovum

This is where security analytics can come in for the save. These platforms (a.k.a UBA or UEBA) combine several data logs, look at them by entity (such as users, files, devices), and create multidimensional baselines reflecting how each entity tends to behave. Then they rank threats, so anomalies don’t get unduly escalated and security teams can prioritize which risks to chase.

Add in automated machine-learning, and you have an indefatigable gauge for spotting threats, regardless of how much data you throw at it. As a risk-management tool, platforms smartened by machine-learning also deliver actionable intelligence. Security teams spend less time worrying about alerts, and more time acting and reporting on genuine risks.

A study found that 90% of companies reduced false positives by adopting security analytics. That report was released three years ago. So why haven’t all enterprises adopted security analytics?

The widespread deployment of SIEM systems—one of the biggest alert-fatigue culprits—is a big reason. Countless companies have invested millions in these platforms, as well as in the skilled employees it takes to deploy and operate them. The recent “get rid of your SIEM” sentiments don’t add up: Executive teams expect their security departments to justify those expensive spends.

With that in mind, the answer is fairly simple: Find a solution that integrates your SIEM system and/or other security investments into a streamlined analytics ecosystem. This not only simplifies the process it takes to maintain complicated SIEM systems or juggle several security add-ons. (The Ovum survey found that 36% of companies use a staggering 51 to 100 security tools.) It also vastly reduces false-positive noise. And from a risk-management perspective, that’s a proactive solution that’s tough to deny.