How Cloud Security Alert Fatigue Affects Your Team: The New Stack

How Cloud Security Alert Fatigue Affects Your Team: The New Stack

Elijah Terman

Elias has worked in the cloud security industry for over a decade and currently serves as Senior Vice President of Orca Security, the cloud-native application protection platform with instant security and compliance for AWS, Azure, and GCP.

Cloud security has reached a new level of complexity. As code is deployed to the cloud at breakneck speed, bugs and security holes abound. Large-scale breaches resulting from human error have become common.

Security professionals are under increased pressure to protect their multicloud environments.

In this complex and fast-paced environment, defenders cannot afford to spend time investigating hundreds or thousands of unprioritized, duplicate, or inaccurate alerts. Security teams are overwhelmed as they spend hours every day reviewing alerts to determine which issues need to be fixed first.

This results in the loss of important alerts, low morale, and turnover, all of which are symptoms of alert fatigue.

What is alert fatigue?

Security teams waste valuable time manually correlating high-volume, low-risk alert data from multiple security tools. These alerts lack context and actionable details, forcing security professionals to do all the heavy lifting. And with a flood of false positives, teams become desensitized to alerts and miss the ones that matter most. The result? Fatigue alert.

New research shows that alert fatigue often occurs when different security tools generate distributed alerts across multiple clouds.

Orca Security 2020 Cloud Security Alert Fatigue Report

Orca Security recently commissioned a survey of 813 IT security professionals to understand the prevalence and effects of alert fatigue. The results were shocking. Fifty-nine percent of respondents reported receiving more than 500 security alerts every day from their public cloud security tools.

As more organizations move to multi-cloud environments, security teams are adopting different types of disconnected tools that contribute to the daily volume of alerts.

As shown in the chart below, companies are adopting a multi-cloud strategy. The vast majority (81%) of respondents reported using more than one public cloud platform; 55% of respondents reported using three or more.

Siled cloud security tools are exacerbating the problem

Additionally, the vast majority of respondents use three or more public cloud security tools (87%), with 57% using five or more. As shown in the graph below, there appears to be a correlation between the number of tools and fatigue per alert.

The most commonly used tool types are network scanning tools (84%), closely followed by cloud platform-native security tools (82%).

A notable trend was revealed when respondents with multi-cloud environments and multiple tools deployed reported experiencing the highest volume of daily alerts.

Data shows that the more tools security teams implement, the more alerts they receive. The rate of false positives also seems to increase as more tools are implemented. This adds more alerts to the daily stream, some of which are multiple tools reporting the same issues, creating duplicate work for security teams.

Critical cloud security alerts are reported to be missed every day

Alert fatigue has now become a critical risk for IT and security leaders to manage. In fact, 55% of respondents said their team had missed critical alerts in the past due to ineffective alert prioritization. Of these respondents, 22% said they missed critical alerts daily, 41% weekly, and 26% monthly.

Looking at cloud security tools through rose-colored glasses?

According to the survey, respondents’ knowledge of the performance of security tools may be part of the problem. While the vast majority of IT security decision makers noted that they believe their cloud security tools are performing well, they still report alert fatigue as a significant issue and have experienced security issues as a result. 95% of respondents trust the accuracy of their security tools, but 43% say that more than 40% of their alerts are false positives and/or low priority. It is clear that there are some rose-colored glasses when it comes to the performance of the cloud security tool.

Lost time, low morale and increased turnover

The number of security alerts pouring in from public cloud environments wastes valuable time and hurts morale. 56% of respondents say they spend more than 20% of their day prioritizing alerts for their research.

Sixty-two percent reported alert fatigue as a contributing factor to turnover, something organizations cannot afford in an environment with zero unemployment for IT security professionals.

Key Recommendations to Solve Cloud Security Alert Fatigue

The new report provides five ways IT security leaders can address alert fatigue while improving security outcomes.

  1. Tool consolidation: Instead of adding more siled tools, consolidate tools across fewer platforms to avoid duplicate alerts and improve risk prioritization by using centralized contextual information to uncover dangerous combinations of risks. In the past two years, different tools such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), and Cloud Infrastructure Entitlement Management (CIEM) , have been unified into a new category called Cloud Native Application Protection Platform (CNAPP).
  2. Demand more from your security tools: Ask security vendors how they prioritize risk. Make sure they combine many factors, including severity, ease of exploitation, accessibility, and potential business impact.
  3. Protect the target instead of the point of entry: Make sure you know where your most critical assets are, and find out if your security provider automatically prioritizes risks based on the potential exposure of these assets.
  4. Focus on attack paths: Security teams need to move from investigating isolated alerts to investigating and prioritizing attack chains to gain faster insight into which issues need to be fixed first.
  5. Strategic Remediation: Instead of trying to fix every alert in the attack chain, start by fixing the one that breaks the chain to stop the most immediate danger.

To compare yourself to your peers and gain valuable insights and best practices, download the Orca Security 2022 Cloud Security Alert Fatigue Report.

Featured Image via pixabay

Leave a Comment