Five Techniques For Reducing Cybersecurity Alert Fatigue

Hit an internet search engine and enter “cybersecurity workforce shortage” then follow that up with a search for “increase in cybersecurity attacks.” You shouldn’t have any trouble identifying a severe issue.

We Have a Supply and Demand Problem in Cybersecurity

A research study by ESG indicated there was an increase of 213% between 2014 and 2018 of companies that reported a shortage of cybersecurity professionals. Many experts, including Cybersecurity Ventures, predict the growing supply shortage problem is expected to continue for many years reaching a worldwide shortage of 3.5M cybersecurity professionals in 2021.

The increase in device connectivity, the rise in vulnerabilities, higher values for stolen loot, greater probability of success for threat actors, expanding regulation and compliance, privacy interests, insurance requirements, and legal liabilities are all contributing factors for the increase in demand.

Obtain and Protect Your Supply Of Cybersecurity Pros

Alert Fatigue Is A Leading Factor For Analyst Burnout

Combine the supply shortage problem with the leading contributing factor associated with fatigue, the noise created from an abundance of alert data that is unnecessary and not exciting, and it becomes more challenging to protect the existing supply.

An over saturation of cyberweapons in the marketplace also play a role in the time suck of uninteresting events. In 2018 McAfee reported more than 1k cyberweapons manufacturers pitching their wares. Most if not all cyberweapons makers will purport to have some form of machine learning AI feature that will effectively eliminate clamor and catch every cyber transgressor that is roaming the planet. In reality, and especially for the small business, these cyberweapons are siloed, rarely collaborate, and produce more technical debt than actionable events. SIEM tools, orchestration platforms, machine learning maturation, and other promising technologies improve signal, but at present, they still require a human in the loop and thus we return to the growing supply shortage problem. We’re living in a world of always-on siloed alert saturation, and it’s creating a cognitive overload for our cybersecurity analysts.

Excessive Alerting == Cognitive Overload

How then do we, with the current technology and capitalized weapons deployments, dial down the alert overload and ensure cybersecurity analysts are motivated to stick around and fight? Continue reading for some real-world practical techniques.

5 Techniques For Reducing Alert Fatigue

1. Innovate
The promise of machine learning (ML) and artificial intelligence (AI) is real, is here, and is exciting in its cybersecurity applications. The power of statistical inferences brought on by ML and AI developments are undeniably useful for defeating useless alerts. As I mentioned previously, every cyberweapons manufacturer has jumped on the ML/AI hyperbole train. However, all cybersecurity professionals need to be thinking about innovating using new school techniques offered by ML/AI and Security Orchestration, Automation, and Response (SOAR) using both off the shelf and roll-your-own scenarios. Innovation reduces alert fatigue.

2. Measure & Tune
We use many machine API-to-API messaging technologies at GuardSight to achieve efficiencies and reduce the number of alerts. Message processing has an associated financial cost. Reducing the number of processing operations reduces that financial cost. Measure your message processing operations, set a budget threshold associated with those operations, view anything above the threshold as a tax, and when the tax kicks in, tune. Measuring and tuning reduces alert fatigue.

3. Use a Threat Analysis Model
Using a threat analysis model is an efficient, systematic method to identify, enumerate, and prioritize attack events. The goal is to quickly formulate a conclusion using the results of substantive observations of contextually relevant elements: indicators of compromise (IOC). The analysis judgment is recorded as “IOC-Negative” when multiple elements are negative or “IOC-Positive” when a single item is positive. This approach not only reduces fatigue by having to make fewer decisions, but it also helps when you’re already fatigued or under increased pressure such as during incident response situations. Threat analysis models reduce alert fatigue.

# IOC NEGATIVE 
## TOP-IOC: Attack Surface DOES NOT Exist 
## TOP-IOC: Attack Surface Vulnerability DOES NOT Exist 
## TOP-IOC: Subsequent Activity DOES NOT Exist 
## TOP-IOC: NOT CONSISTENT with Corroboration From Multiple Intelligence Assets 
## TOP-IOC: NOT CONSISTENT with Unusual Egress Network Traffic 
## TOP-IOC: NOT CONSISTENT with Unusual Lateral Movement 
## TOP-IOC: NOT CONSISTENT with Login Anomalies 
## TOP-IOC: NOT CONSISTENT with Suspicious Domain Controller Activity 
## TOP-IOC: NOT CONSISTENT with Suspicious Byte Counts 

4. Suppress & Patrol
Trust but verify is a postulate within the information security profession. We can use this premise to create alert pattern templates that we consider as being routinely normal to help achieve a state where we don’t worry about ordinary benign things. We suppress them as trusted patterns. Sometime in the future we then conduct a patrol consisting of a broader contextual review to verify that we still believe those patterns to be benign. This approach promotes acting on exciting things. A simple example of this is suppressing a flurry of IDS or authentication alerts and then later (mindful of breakout speed and dwell time concepts) conducting a patrol, using a threat analysis model, searching for indicators of compromise. Suppressing and patrolling reduces alert fatigue.

5. Exercise & Go Dark
Cybersecurity is a highly dynamic ecosystem that is always awake and replete with nefarious activity often creating excess demand on the adrenal system. It is unrealistic to think that humans can maintain the pace of machines and sustain the critical thinking the cybersecurity profession demands. In addition to the previously mentioned technical suggestions for combatting alert fatigue, there are also kinetic remedies: exercise and go dark. This Harvard MD tells us “Even a short bout of any cardiovascular exercise wakes us up, speeds mental processes, and enhances memory storage and retrieval, regardless of our fitness or fatigue levels.” Going dark means unplugging and turning your brain off! Exercise and going dark reduce alert fatigue.

Things To Remember

  • Expect the current supply shortage of cybersecurity pros to last for many years
  • Obtain and protect your supply of cybersecurity pros
  • Be aware that alert fatigue is a major contributor to burnout in cybersecurity pros
  • Reduce alert fatigue by implementing the following techniques:
    1. Innovate
    2. Measure & Tune
    3. Use a Threat Analysis Model
    4. Suppress & Patrol
    5. Exercise & Go Dark

Are you interested in how GuardSight can help reduce the risk of your organization’s exposure to a lack of cybersecurity expertise? Are you interested in how GuardSight can augment your current team to reduce the risk of alert fatigue? Contact us for a free consultation.

Categories:
Comments

Comments are closed.