Security alerts are signals that are generated by security vendors or security analysts on certain things that are suspicious. A “False Positive” alert occurs when the security system mislabeled a non-malicious activity as an attack. Security alerts are overwhelming SOC centers today, most of which are false positives. In a recent report provided by Forrester, on average, internal security operations teams receive over 11,000 alerts per day and more than 50% are false positives. Analysts’ time is wasted on chasing false positives and manual operations. It causes “alert fatigue” that we all have experienced in SOC center.
Measure the Damage of Alert Fatigue
Many companies and organizations have experienced alert fatigue but how to measure the damage properly? Here are a few factors that we should take into consideration when measuring the damage caused by alert fatigue.
Ignore alerts that are true positives
If breached, the average cost of an incident is around 3.86 million dollars as a report from IBM. Not to mention Kaseya hackers demanded $70 million ransom and Colonial Pipeline paid $5 million ransom for the attacker.
Lost man-hours: your security analyst
You can easily calculate the wasted time on investigating false positives which could be spent on important tasks instead. The more time they spend on fixing false alerts, the less your organization benefit from their talent and experience.
Employee burn out
Eventually, the employee may wear out due to the number of alerts they need to address. When employees burn out, it could drive to more errors, more missed alerts, more employees burn out which becomes a dead end and could significantly impact the company culture.
Too many alerts and too little resources?
What Can We Do to Reduce Cyber Security Alert Fatigue
There are multiple aspects to reduce alert fatigue with contributions from different roles ranging from security analysts to SOC managers even CEOs. But as security analysts, we need a better tool to enable security analysts to get to “No” quickly while eliminating the risk of missing true positives.
Right and relevant context is critical
Alerts could come from simple rules or reports like
“if user failed login 5 times, send me an alert”, “if registry is modified, send me an alert”,
Well, these rules are generating interesting signals but they are likely false positives. Why? Because they can be legit user behaviors. For example, it is possible this user did forget the password and failed login in.
Security vendors may send you an alert about SQL injection attacks on one of your servers. It could be very serious. But the first thing you will need to know is whether you have SQL on that machine. So you will need a configuration management system or asset management in place.
All this extra information is required to identify false positives.
Identify patterns
Pattern, structured information from data, is the next level of context that is useful to spot false positives and true positives. It is usually not sufficient to distinguish true positives from false positives with a single alert. Most attacks can be detected with weak signals in the early MITRE ATT&CK phase. Similarly, false-positive alerts will possibly exhibit similar patterns as well. Patterns let you conclude a definitive decision faster.
Better visualizations
Context is great but be aware of too much information that may overload analysts as well. The way how information is selected is displayed is important. They need to be super easy for security analysts to use.
Reuse historical investigation resolutions
Each security investigation such as threat hunting takes time and very often we will notice something has already been investigated by the same person or a different person in the past but the knowledge was not kept very well. Such knowledge is an important understanding of your own environment and needs to be leveraged most to reduce repetitive investigation time.
Delegate to the right person
Delegate to the right person to fix this issue. But before sending it to them, make sure to aggregate the information with actionable steps so that those who are affected will be more motivated to fix it.
Ask for a refund if the vendor sent too many false positives
This is kidding:) Security analysts have a difficult job constantly triaging alerts, so it is important to switch it up from time to time and keep it entertaining! Measuring which tool provides you most false positives will be useful to help optimize your SOC center.
While we were working as security analysts in Microsoft, we have been chased by various kinds of security alerts from different places every day and constantly saw false positives after investigations. One observation we had is that user/computer/system/network does produce lots of wired things. For example, you will be surprised to see how common it is for antivirus software to inject code into other processes. It is impossible to tune alerts inaccurately because it needs continuous improvement. Typical atomic alerts are just too noisy to be actionable.
DTonomy’s AI Solution
DTonomy’s AI solution helps you get to answer “No” faster. How?
Identify patterns among atomic alerts
For each input alert, we extract important artifacts from alerts. Based on the artifacts, we construct a relationship graph between different artifacts globally. Our algorithm automatically consolidates artifacts that are more closely related to each other and present you as a pattern. These patterns could be multiple machines connected to 1 suspicious IP; lateral movements across machines; a kill chain that includes a list of security detections across different phases of MITRE ATT&CK framework. Instead of manually stitching alerts together for investigation, DTonomy’s algorithm-driven correlation reveals hidden insights among security detections automatically, constructs rich context continuously for investigation, saves your time on endless correlation rules creation/tuning.
Continuously learns out false positives
From unstructured comments to your active responses, we analyze all the metadata and identify normal patterns in your environment based on your response and learn them out automatically. This will be reflected on risk score decrease or explainable pattern that automatically filters future alerts to similar groups. Possible patterns could be “if an alert is related to folder A, it is likely to be false positive with 100% confidence”.
More automation
It is not surprising to see no-code and low code platform is helpful to enrich context such as gathering relevant assets information or threat intelligence easily.
Of course, human factors are the most important elements in resolving alert fatigue. It is important to address them with a better organizational process. At the same time, it is also important to use technology that can ensure peace of mind and promote confidence by dealing with serious alerts according to a process, alleviating psychological effects of alert fatigue such as burnout. With a better process armed with better technology, we will be sure to fix this problem.
