Intrusion Detection Systems (IDS) can be powerful threat detection tools, but IDS users frequently complain about alert fatigue. Unfortunately, IDS are known for producing false positives, which can make it difficult to find the real and legitimate threats amongst all the noise.
According to a recent International Data Corporation (IDC) report, large organizations ignore around 30% of alerts because it is impossible to keep up with constantly increasing numbers. In addition to malware alerts, IDS will also produce hundreds of thousands of other alert events – some are simply informational – from an organization’s network traffic.
Alert volume is one of the biggest contributors to decreased productivity and increased turnover in security operations centers (SOCs) today. The sheer number of alerts security teams have to manage every week leads to alert fatigue, a condition that can expose organizations to serious risk.
What is Alert Fatigue?
Alert fatigue occurs when security teams become desensitized to an overwhelming amount of alerts, causing them to miss or overlook critical alerts and have slower response times. This can lead to disastrous consequences, as was the case in the 2013 Target Data Breach.
In that scenario, attackers infiltrated Target's network and installed Malware in an attempt to steal customers’ credit card data. The malware was initially picked up by Target’s threat detection tool and the relevant alerts were sent to the Bangalore Security Operations Center (SOC). From there, the alerts were escalated to Target’s main SOC in the United States. These alerts were overlooked though, as Target’s SOC had recently been dealing with a large number of false positives. They were experiencing alert fatigue from the sheer number of false positive alerts, causing them to miss critical attack signals that otherwise would have notified them of the malware attack.
So, why are we still writing about a breach that took place 10 years ago?
Well, unfortunately this story remains a common one, and burnout from ever increasing alert volume is still a leading factor in many data breaches. Most intrusion detection systems do an adequate job at identifying actual threats, but they also detect a large number of non-threats. So, identifying actionable security events becomes akin to finding a needle in a haystack.
What Factors Lead to Alert Fatigue?
There are a number of causes that contribute to alert fatigue. And the sheer volume of alerts produced by threat detection systems like an IDS is not the only cause. In a perfect world, every organization would employ large teams dedicated to investigating every single alert or they would install automated systems that are 100% accurate. Unfortunately, these are not realistic. SOC teams are overloaded with responsibilities and are often required to perform multiple roles. This and other constraints often contribute to alert fatigue. Here are few factors that lead to alert fatigue:
- Complex IT environments: Most organization’s use multiple tools, techniques, and systems to detect, investigate, and respond to threats. Managing multiple applications at once is no easy task, and it is easy to miss alerts signaling serious threats when the SOC is inundated by mass amounts of data from multiple sources.
- Redundancy: The common practice of deploying multiple detection systems can cause duplicate alerts, increasing the amount of noise an analyst has to sift through to find actionable intelligence.
- Inefficient Processes: Alerts are often visible to every member of the security team which can lead to a “bystander effect,” in which each team member assumes someone else is dealing with the alert. An efficient and organized process is necessary for investigation and response, and it is possible that alerts go unnoticed without a process to designate who is responsible for responding to alerts.
- False Positives: The research conducted by IDC found that an average of 32 minutes is spent investigating each individual false positive alert. With a mountain of false positives, security teams spend considerable time searching through alerts to find actual threats – time that could be better spent elsewhere.
What is the Impact of Alert Fatigue?
Alert fatigue impacts productivity and efficacy. While security teams prefer to have as much information on potential threats as possible, they often waste time trying to find the truly valuable information. Some of the more common impacts of alert fatigue are:
- Desensitization to the importance of alerts
- Missed critical events
- Minimized data availability and loss of data integrity
- Increased costs due to wasted time investigating false positive alerts
How to Minimize Alert Fatigue
In 2022 a team of researchers from Oxford University led by Dr. Bushra AlAhmadi published a study titled “99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms”. In this study they surveyed SOC analysts to get an understanding of their perception of false alarms, alert fatigue, and the processes used to manage them. What these researchers found was that the majority of alerts being analyzed by the SOC are false alarms, and these practitioners had to spend extra time on manual validation. The proposed solution was to improve the criteria for what constitutes an effective security alarm. This is done by assessing the five qualities of the REACT model:
- Reliable - Systems should be capable of routinely detecting niche behavioral models to reduce errors in variance associated with generalization.
- Explainable - Effective detection systems should contain some amount of automation, but that automation should also offer human-comprehensible insights on their outputs so security personnel can evaluate those predictions.
- Analytical - We are still far away from a security solution that is fully automated and completely accurate, but modern systems must include features that enrich the analysts’ ability to validate data, discover correlations, and draw conclusions.
- Contextual - Organization-specific context should be available with every alert, allowing both the system and the analyst the ability to validate alerts based on previous context, experience, and knowledge.
- Transferable - Systems should be built in such a way that they are flexible enough to function effectively on any network with any combination of other tools with minor changes to infrastructure.
AlAhmadi’s team learned that the majority of their respondents were using legacy alarm systems like IDS and SIEM, so they posed the REACT model as a way to evaluate the efficacy of those types of tools. They found that most legacy tools, like IDS, did not fit the REACT criteria which led to the prevalence of false positives and alert fatigue in the surveyed SOCs. They suggest using a detection method that supports the REACT model to improve the quality of alarms, reduce false positives and alert fatigue, and improve analysts’ trust in their tools.
Mitigating Alert Fatigue with Stamus Security Platform
Stamus Security Platform (SSP) is a broad-spectrum, open network-based threat detection and response system (NDR). SSP can be deployed on-premise or in cloud environments and uses deep packet inspection to directly extract and build security insights from network traffic. Built on top of Suricata – the powerful open-source network security engine – SSP combines signature-based IDS, network security monitoring (NSM) capabilities, and other advanced threat detection methods.
In order to combat alert fatigue and provide accelerated incident response, SSP adds automated event triage with extensive data enrichment and a unique capability called Declarations of Compromise™.
When assessed against the REACT model, Stamus Security Platform provides an effective solution that consistently exposes threats on critical assets without wasting time searching through a tidal wave of false positive alerts.
A key element of SSP’s ability to combat alert fatigue is the Declaration of Compromise™ (DoC). A DoC event is the highest confidence assertion SSP provides, highlighting a specific threat and the asset it is impacting. SSP then builds a detailed timeline of activity and collects the supporting evidence and context associated with the attack on the impacted asset. These events are automatically escalated, and the analyst is notified via webhook in a variety of applications - SOAR, SIEM, Discord, web chat, etc.
This dramatically reduces the number of security events that need to be investigated, essentially eradicating alert fatigue. Organizations that deploy SSP are able to redeploy their staff to focus on more proactive security measures and dramatically improve incident response times.
Eradicate Alert Fatigue Once and For All
Alert fatigue can weaken your organization’s defenses and take a toll on your staff, but it doesn’t have to. The Stamus Security Platform can minimize the impact of alert fatigue and enable your security team to focus on more important issues.