How Cloud Security Alert Fatigue Affects Your Team
Cloud security has reached a new level of complexity. As code is being deployed to the cloud at breakneck speed, bugs and security holes abound. Large-scale breaches resulting from human error have become commonplace.
Security professionals are under increased pressure to protect their multicloud environments.
In this complex and fast-paced environment, defenders can’t afford to waste time investigating hundreds to thousands of unprioritized, duplicative and/or inaccurate alerts. Security teams become overwhelmed as they spend hours each day reviewing alerts to determine which issues need to be fixed first.
This results in missing alerts that matter, low morale and turnover — all of which are symptoms of alert fatigue.
What Is Alert Fatigue?
Security teams waste valuable time manually correlating high-volume, low-risk alert data from multiple security tools. These alerts lack context and actionable details, forcing security professionals to do all the heavy lifting. And with a flood of false positives, teams become desensitized to alerts and miss the ones that matter most. The result? Alert fatigue.
New research shows that alert fatigue often occurs when different security tools generate alerts spread across multiple clouds.
The Orca Security 2020 Cloud Security Alert Fatigue Report
Recently, Orca Security commissioned a survey of 813 IT security professionals to understand the prevalence and effects of alert fatigue. The results were shocking. Fifty-nine percent of respondents reported receiving more than 500 security alerts every day from their public cloud security tools.
As more organizations move to multicloud environments, security teams are adopting different types of disconnected tools that contribute to daily alert volume.
As shown in the chart below, companies are adopting a multicloud strategy. The vast majority (81%) of respondents reported they use more than one public cloud platform; 55% of respondents reported using three or more.
Siloed Cloud Security Tools are Exacerbating the Problem
In addition, the vast majority of respondents use three or more public cloud security tools (87%), with 57% using five or more. As shown in the chart below, there appears to be a correlation between number of tools and alert fatigue.
The types of tools most used are network scanning tools (84%), followed closely by cloud platform-native security tools (82%).
A notable trend was revealed when respondents with multicloud environments and multiple tools deployed reported experiencing the highest volume of daily alerts.
The data show that the more tools security teams deploy, the more alerts they receive. The proportion of false positives also seems to increase as more tools are deployed. This adds more alerts to the daily stream, some of which are multiple tools reporting the same issues, creating duplicate work for security teams.
Critical Cloud Security Alerts Reportedly Get Missed Every Day
Alert fatigue has now become a critical risk for IT and security leaders to manage. In fact, 55% of respondents said their team has missed critical alerts in the past due to ineffective alert prioritization. Of these respondents, 22% said they missed critical alerts daily, 41% weekly and 26% monthly.
Looking at Cloud Security Tools with Rose-Colored Glasses?
According to the survey, the respondents’ awareness of security tool performance may be part of the problem. While the vast majority of the IT security decision-makers noted they believe their cloud security tools work fine, they still report alert fatigue as a significant problem and have experienced security issues as a result. Ninety-five percent of respondents feel confident in the accuracy of their security tools, yet 43% say more than 40% of their alerts are false positives and/or a low priority. It’s clear that there are some rose-colored glasses when it comes to cloud security tool performance.
Lost Time, Low Morale and Increased Turnover
The number of security alerts flowing out of public cloud environments wastes valuable time and hurts morale. Fifty-six percent of respondents say they spend more than 20% of their day prioritizing alerts for investigation.
Sixty-two percent reported alert fatigue as a contributing factor to turnover — something organizations can ill afford in an environment with a zero unemployment rate for IT security professionals.
Key Recommendations to Solve Cloud Security Alert Fatigue
The new report provides five ways that IT security leaders can address alert fatigue while improving security outcomes.
- Tool consolidation: Instead of adding more siloed tools, consolidate tools in fewer platforms to avoid duplicated alerts and improve risk prioritization using centralized contextual information to discover dangerous risk combinations. Over the past two years previously distinct tools such as cloud security posture management (CSPM), cloud workload protection platform (CWPP) and cloud infrastructure entitlements management (CIEM) have been unified into a new category called cloud native application protection platform (CNAPP).
- Demand more from your security tools: Ask security vendors how they prioritize risk. Ensure that they combine numerous factors such as severity, ease of exploitation, accessibility and potential business impact.
- Protect the target instead of the entry point: Make sure you know where your most critical assets are, and find out if your security vendor automatically prioritizes risks based on potential exposure of these assets.
- Focus on attack paths: Security teams need to shift from investigating siloed alerts to investigating and prioritizing attack chains to get quicker insight into which issues need to be fixed first.
- Strategic remediation: Instead of trying to fix all alerts in the attack chain, start by fixing the one that breaks the chain to stem the most immediate danger.
To benchmark yourself against your peers and gain valuable insights and best practices, download the Orca Security 2022 Cloud Security Alert Fatigue Report.