You have a dozen dashboards open in your browser: cloud security, endpoint security, app performance, website status, code scanners, SIEM, and a whole array of others. Alerts are popping on all of them. You might not have critical or high ones today, but the lake of medium keeps growing and is eclipsed by the sea of low. Your coffee is now cold, and you have just finished looking at things. Some high alert pops up. Meh, you need another coffee, it can wait. Sounds familiar?

scary hacker

It’s called alert fatigue.

Alert fatigue is a common problem in cybersecurity and operations, where the high volume of alerts and notifications can lead to desensitisation and missed threats. Here are some strategies for dealing with alert fatigue:

  1. Prioritise alerts: Not all alerts are created equal. Prioritise alerts based on their severity, impact, and likelihood of occurrence. This will help you focus your attention on the most critical threats. A lot of this requires your security team to be intimately familiar with your tech stack — not all threats have the same impact. It requires your team to have clear visibility of your organisation’s risk appetite.

  2. Automate responses: Automate responses to low-level alerts to reduce the volume of alerts that require manual intervention. This will free up your time and attention for more critical threats. Of course, it takes time to set up the correct automation. Time which will be taken away from actually dealing with alerts.

  3. Tune alerts: Tune alerts to reduce false positives and ensure that they are relevant to your organisation’s needs and risk appetite. This will help you avoid wasting time on irrelevant alerts. This takes both time and knowledge from your team.

  4. Rotate staff: Rotate staff to ensure that they have time to rest and recover from the demands of monitoring alerts. This will help prevent burnout and maintain high levels of vigilance. Burn out in cybersecurity is a clear and present danger that few addresses.

  5. Use threat intelligence: Use threat intelligence to inform your alerting strategy and ensure that you are focusing on the most relevant and critical threats. This will help you stay ahead of emerging threats and reduce the volume of alerts.

All of these steps require two things: resources (both in time and manpower) and knowledge. Without the former, there is no one and no time to do any of these, so burn out is sure to happen. Without the latter, your security teams will be making decisions they cannot assess the impact of. This will lead to false negatives and breaches.

Do you want to know how to set up a successful cybersecurity team? If so, please do reach out.