Cybersecurity strategies: fighting alert fatigue and building resilience

As security risks increase in complexity, and data expands exponentially, cybersecurity strategies need to simplify – and streamline

In a world where cybercrime is evolving at a rapid pace, the role of a cybersecurity professional is one of constant vigilance and high stakes. As the volume of data increases exponentially, the vast majority (83%) of cybersecurity professionals say they are struggling to cope with the sheer volume of security alerts, with IDC data revealing that this can lead to missed cyber threats as well as difficulties recruiting and retaining staff in a sector that is already experiencing skills shortages.

The repercussions of an enterprising cyber attacker gaining access to critical data including private financial and medical data or industrial control systems can be severe, meaning the security team’s job is often a pressurised and difficult one. This is made all the more prevalent as migration to the cloud increases and the mobile workforce continues to dissolve the network boundary beyond its traditional office-based confines. This is when ‘alert fatigue’ can have a disruptive part to play in proceedings.

Fighting alert fatigue

Alert fatigue refers to the sheer overwhelm cybersecurity professionals experience when they attend to a high volume of repetitive, low-fidelity alerts, often exacerbated by layers of overlapping security products. Some are frustrating false positives, but many are true positives that are low-risk and therefore of low importance, but which distract professionals from genuine events and threats that may warrant immediate action.

Excessive alert volume naturally increases the chances of a serious threat slipping through the net and as attacks continue to grow in sophistication, the problem will only intensify. IDC found that cybersecurity teams at organisations of all sizes are struggling with alert fatigue, with up to 30% of alerts going ignored or not being investigated.

Ultimately, as organisations deal with more data than ever before, there has never been a more important time to ensure that cybersecurity operations are up to scratch. At the heart of that goal is the need for security defences to be streamlined and fully integrated within existing technology systems, to deliver simplicity, intelligence, and consolidation, thereby easing the pressure on a team who are facing unprecedented levels of threat sophistication year on year.

Streamlining cyber operations

To address alert fatigue but still maintain threat detection efficacy, organisations must seek out a consolidated approach to their cybersecurity strategies. The goal is to be able to sift through the high volume of alerts and narrow these down to a more manageable selection of high-fidelity incidents, thereby significantly increasing detection rates, while reducing false positives.

Usually, the cybersecurity team is tasked with triaging these alerts, where critical decisions need to be made as to whether each alert is worth investigating further or not, but human judgement is not always required here, and automation can have a huge impact in terms of alert noise reduction. An organisation’s security infrastructure can be simplified and streamlined hugely, by applying machine learning and artificial intelligence techniques in these situations, to automate alert prioritisation and identify the most critical risks to catch what the human eye may miss, as well as providing actionable intelligence to security teams when further contextual analysis is needed.

The correct tools complement skills

Harnessing machine learning can complement the strengths of a cybersecurity team, by significantly reducing the time they spend looking into recurring types of alerts. These are automated and bucketed, allowing the team to concentrate more on unique alerts, analysing patterns or threat hunting.

Setting up watchlists to ensure that alerts with certain features identified are promoted or suppressed, can also help to reduce alert fatigue. That way alerts from a group of users or devices that perform tasks that would usually trigger an alert are de-prioritised, which prevents benign events from becoming alerts and clogging up a security team’s heavy workloads.

Cybersecurity strategies: Gaining a birds-eye-view

When it comes to cybercrime, “it isn’t just local authorities that are affected… businesses and retailers, too, are on our adversaries hit-lists”, as the Chancellor of the Duchy of Lancaster, Steve Barclay, noted during his speech on the launch of the Government Cyber Security Strategy.

For global online fashion retailer ASOS, its cybersecurity teams are under a huge amount of pressure to prevent incidents that could take it offline or gain access to precious customer data. The threats the business faces are ubiquitous, sometimes existential, and getting more sophisticated every day, which means they need a platform that can provide a robust security function that works seamlessly for its six expert teams spread across two security operation centres.

Using Microsoft Azure Sentinel, ASOS created a bird’s-eye-view of everything it needs to spot threats early, allowing it to proactively safeguard its business and customers. As a result, it has cut issue resolution times in half.

Alert fatigue is an obvious result of the exponential increase in data and an organisation’s attempt to protect themselves from cyber breaches by seeking out ways to identify the risks they are facing. But the ability to protect an organisation – and the team’s happiness – rests on reducing it as much as possible. Without thorough cybersecurity strategies to reduce alert fatigue, businesses risk leaving themselves open to missing real threats, with staff too overwhelmed to spot them.

Written by Paul Kelly, Director, Security Business Group, Microsoft UK