Keeping Up With A Growing Number of Security Alerts: What Can You Do?

Could you imagine living in a home where the smoke alarm went off twice an hour? Every time the alarm goes off, you frantically scurry around your house smelling for smoke or trying to find a flame, only to realize it was actually just an installation mistake that was causing the false alarms. Now you’re then faced with a choice:

• Continue living in chaos, exerting energy every 30 minutes to see if something is wrong
• Ignore the alarms assuming you’re safe
• Fix the smoke alarm so it only alerts you when you were actually in danger

It may seem like an obvious decision, yet this chaos of living with a faulty smoke detector, is the environment many SecOps teams feel every day. 

A recent ESG report indicates the estimated mean number of security alerts generated per day per SOC is roughly 286, with roughly a 99% false positive rate. 

The sheer number of false positives (coupled with alert fatigue) make it challenging to sort through the noise, and zero in on the highest risk threats, with 96% of security professionals indicating they make tradeoffs between efficacy and efficiency to keep up.

We’re reaching a tipping point in the world of security alert management. SecOps teams are spending too much time and too many resources chasing noisy detections — rather than making sure that only the truly important detections are sounding. 

Something has to change. 

The Cost of Constant Interruptions: Examining the Implications of Increasing Alerts  

Not only is the volume of security alerts outpacing SecOps countermeasures, but the number of techniques used for exploitation, and the types of infrastructure with vulnerabilities are growing, in our increasingly digital world. 

For example, the Cybersecurity and Infrastructure Security Agency reports there are more than 100 known threat actor groups, each with various techniques and software they are known to use targeting like: 

• Exploit public-facing application [T1190] 
• External remote services [T1133]
• Phishing [T1566]
• Trusted relationship [T1199] 
• Valid accounts [T1078]

And these adversaries are targeting vulnerabilities across many types of local, remote, cloud, containerized, and virtual infrastructures, including:

• Network
• Cloud workloads
• SaaS applications
• Supply chain

And, across increasingly diverse endpoints: 

• Corporate-owned devices
• Personal devices 
• Third-party supply chain and partner devices 

Security and IT teams face an uphill battle to transform their security operations infrastructure while fending off attacks, and protecting access to a variety of assets:

• Intellectual property
• Personnel data
• Business systems

The types of security alerts triggering systems range from low (false positive), medium (true benign positive) and high priority (true positive), making it critical to have a system in place for prioritization so each alert is tended to as needed, and in a timely manner. 

ESG finds that roughly 160 daily security alerts drop on the floor due to too much chaos, and inability to prioritize true threats, leaving your brand integrity at risk. For SecOps to reach operational excellence, organizations must overcome some of the challenges that lead to a chaotic system:

👀 Lack of visibility

Connect your security and business priorities across your organization, security tools, cloud platforms, and more.  This effort requires bringing together your people, process, and technology as a starting point for shared responsibility.

More specifically, SecOps teams find that visibility into cloud workloads is a gap for many, which should drive investments in cloud detection and response solutions capable of sifting through a diverse, distributed set of signals to isolate threats.  

🔁 Lack of automation

As attack surface growth continues, especially with more cloud workload and infrastructure adoption, many organizations supplement existing tools with manual processes to close gaps. 

This means analysts are inundated by the number of alerts that require human attention, sending every alert directly to the SIEM for correlation results in tons of non-contextual alerts, each of which requires significant work by an analyst to research, creating more dwell time and human room for error. 

While change is underway in many organizations, most must continue to utilize current solutions for 12 to 24 months until modernization activities are implemented.  

💢 Improperly configured threat detection solutions

Issues with poorly constructed infrastructure and the amount of noise that comes from the policies deployed in your containerized environments can result in too many alerts being sent to the SOC.

‍Kiran Shirali, Senior Manager of Security Engineering at eBay agrees with this challenge. Concerned about the ever-changing security landscape making it difficult to keep up with the latest threats as eBay expands and grows the business, Kiran explained, “As a detection manager, I need to be able to quickly respond and put the appropriate detections in place.”

It’s challenging to associate context with relevance, making prioritization during the alert triage process laborious.

👥 Lack of internal resources

Despite roughly 60% of security professionals saying that alert triage is challenging or overwhelming, there aren’t enough resources available to curb the workload. Veteran employees are too bogged down to teach their junior analysts, different companies are using completely different systems so new hires can’t keep up, and more.  

Improved security alert management is a focus area for many organizations. To handle the increasing security alert volumes and growing complexities in the space, organizations are driving investments in technology that makes it possible to scale, assimilate and analyze security signals across multiple cloud environments, and automate alert triage. 

How to Mitigate Alert Overload and Reduce Risky Trade-offs 

If you need a sign that it’s time to re architect your security stack to be capable of scaling and analyzing signals from multiple cloud environments, here it is.

‍And you’re in good company. Roughly 93% of security decision makers feel their organization needs to re-evaluate its SecOps priorities. But to re-evaluate, you need to reallocate and prioritize efforts internally:

1. Narrow your scope and rationalize threats

SIEMs alert you of potential threats, but how is your team parsing through those threats to focus on the most meaningful ones? 86% of security professionals say the new detection lifecycle (i.e., identifying the need, creating the detection, testing, and deploying the detection) takes a week or more. If your SOC is generating more than 200 alerts a day, its impossible to hunt everything down. You need the ability to rationalize threats, understand false positives relative, add prioritization, and understand the full context to narrow your scope. 

2. Focus on improving automation

Automation capabilities makes alert prioritization less challenging. Security professionals that extensively use automation for security operations were 2x more likely to develop and implement threat detection rules in less than 7 days vs more than a week.  Increasing SecOps solutions featuring automation can help reduce the work-load “trade-offs” that are made to keep pace with incoming volume of alerts. 

3. Enhance integrations

To become extensively automated, integrations are key. Still, 78% security decision makers say lack of integration capabilities impede automation and other SecOps improvement. 

An end-to-end, holistic security management process would entail automatically ingesting, normalizing, tagging, enriching, and correlating alerts from EDR/XDR, email security, and other tools before events are indexed, and then having the ability to create a one-step integration for ticketing and case management in tools like ServiceNow or Jira.  

‍Rearchitecting your security stack is not about replacing employees — it’s about delivering tools that help set your SecOps team up for success. Companies that do so will maximize their resources and make their technology a force multiplier. 

Conquer Alert Fatigue by Streamlining Security Alert Management with Anvilogic  

Anvilogic empowers security professionals at every level to take control of cybersecurity chaos, eliminate silos, and simplify complexities so they can focus on what truly needs attention. 

Anvilogic’s AI-driven platform creates a single, integrated workspace to help the SOC deliver better (and faster) threat detection, hunting, incident response, and triage capabilities.  

• Consolidate and normalize data: from multiple sources and MSSPs into a single, integrated workspace.
• Automate the triage process: to prioritize critical threats and let your SecOps team get back to what matters the most. 
• Squash your backlog: and reduce time to build and deploy pattern-based detections with no-code, out-of-the-box behavioral threat detection content based on frameworks, like MITRE ATT&CK and kill chains.
• Identify coverage and data gaps: through continuous maturity scoring and navigation with AI-driven recommendations mapped to the MITRE ATT&CK framework.
• Maximize your SIEM: invest in machine learning tools that help analyze data and identify the high-priority detections will help maximize the impact of a SIEM.

Additionally, Anvilogic’s Forge team delivers daily updates, detections for critical new vulnerabilities on the same day they appear, accompanied by structured information on threat and impact, plus links to remediation steps, so you can prioritize and triage alerts without trade-offs between efficacy and efficiency. 

Want to learn more? Check out more information on Anvilogic and ESG’s latest report about Trends in Modern Security Operations.