Updated on April 26, 2022 by Mike Mariano
If you’re responsible for keeping your company’s data safe, you know that cloud security is a never-ending job. There are always new threats to consider and new tools to learn.
But what you may not realize is that all this cloud security can actually lead to burnout. With so many different tools and alerts to keep track of, it’s easy to feel overwhelmed. This can lead to making mistakes or ignoring important warnings.
Is Cloud Security Alert Fatigue a Real Thing?
Yes, cloud security alert fatigue is a real phenomenon. And it’s not just an individual problem – it can have serious consequences for businesses as well. There are two main factors that contribute to alert fatigue: too many alerts and false positives.
The first is simply having too many alerts to deal with. If you’re using multiple security tools, you might be getting hundreds of alerts every day. It’s impossible to give each one the attention it deserves, so some will inevitably be ignored. The second factor is false positives – when an alert is triggered but there’s no actual threat. This can happen for a variety of reasons, such as incorrect settings or false data. Again, it’s easy to ignore these alerts or become de-sensitized to them over time.
“A global survey of over 800 IT professionals reveals that almost 60% of respondents are receiving over 500 cloud security alerts per day, and that the alert fatigue created by this volume of work is causing 55% of these organizations to miss critical alerts on either a daily or weekly basis. 62% of respondents also say that alert fatigue is contributing to turnover, and 60% say it is causing internal friction in the company.”
– 2020 research report and survey by Orca Security.
The problem is not just the volume of cloud security alerts, but also the fact that they are not prioritized. Staff is not only confronted with this massive influx on the job every day, but they are also asked to spend enormous amounts of extra time sorting them for remediation. Over half of businesses report that security personnel spends at least 20% of their time each day triaging alerts.
Cloud security alert fatigue has always been around. Any time you set up some kind of alerting service, it’s going to alert you about every little thing. You really have to dial down what’s actually an issue versus what is just an everyday occurrence. This is true with every alert system and log management system, yet it’s overlooked every time our clients go to implement them.
“I think we’re hearing more about cloud security alert fatigue just because more and more companies find themselves obligated to adopt monitoring and alerting solutions. As a result, dynamics associated with cloud computing and the challenges of maintaining security are just going to become more ubiquitous.”
– Ian Terry, CSM, SSCP, HCISPP, CISSP and director of cybersecurity services for AWA International.
Plus, automated security and monitoring solutions are easier to implement in the cloud. For example, AWS has its own built-in solutions, so you are going to get alerts from every facet of its infrastructure even before you set up your own operating system and services.
What Types of Companies Are Most at Risk for Security Alert Fatigue?
This is not a new concept in the IT security field, but it has moved to the forefront in cloud security as a result of the pandemic-induced mass shift to remote work and the related migration to cloud services. Burnout is becoming a major problem among IT professionals in the United States, England, France, Germany, and Australia, spanning a wide range of industries from health care to finance. Alert fatigue is also common, regardless of which cloud service is used, with all of the big names—including AWS, Azure, Google, and Oracle.
“This type of fatigue is more likely occur as an environment gets more complicated. For international enterprises, that have cloud instances across different availability zones and, maybe even across different cloud service providers, it’s just a given. They are going to have a multitude of different alerting channels and disparate security systems to manage. The issue grows with the size and complexity of the company,” explains Ian.
Related article: How to Improve Your Cloud Security Posture.
What Are the Consequences of Alert Fatigue?
Alert fatigue can have serious consequences for businesses, both in terms of security and productivity. Whatever the cause, the results are the same:
- The overwhelming amount of cloud security alerts can cause IT staff to devalue and feel de-sensitized to all alerts, even the true positives and real threats.
- Ignoring alerts can obviously lead to missing important threats. This can have disastrous consequences, especially if sensitive data is involved.
- Organizing, prioritizing and constantly dealing with false positives can be huge time wasters.
- Alert fatigue can lead to burnout among employees. If security team members are constantly overwhelmed and stressed, they’re not going to be as effective at their jobs.
- Over time, fatigue decreases morale on the job and increases the risk of losing valuable talent and costly turnover.
How can organizations address alert fatigue?
If your team is starting to feel the strain of cloud security fatigue, there are some steps you can take to ease the burden. With a little bit of effort, you can make cloud security less overwhelming – and reduce the risk of burnout in the process.
Limit the Number of Active Security Tools Used
First, try to streamline your security tools so you’re not constantly jumping between different applications. This is important because the more tools security teams deploy, the more alerts they will receive.
You should also make a habit of regularly reviewing the security tools and vendors that your organization works with. Auditing cloud security tools, demanding higher accuracy, and eliminating those which are underperforming can help consolidate when needed. Plus, as cloud technology develops, we are starting to see more consolidated solutions and unified platforms come available for this purpose.
“Recently, the security products offered are moving towards integrated solutions to help avoid the problems of unnecessary redundancy and fatigue. Rather than offering just antivirus or just login alert monitoring, for example, extended detection and response (XDR )and managed detection and response (MDR) package all the systems that your company is already using into a unified suite. This way all the components are under one vendor, they are all reporting to one management platform, and they can be configured across the board,” says Ian.
It’s really important to reduce redundant alerting channels so that you are not getting four separate alerts for a single issue. Or, at least, your team needs to develop a way to filter out the redundancies so that whatever rises to the top on your SIEM or the platform that you are monitoring is just one.
Be Smart about Setting Alerts
“If you have a managed detection and response solution and a SIEM on-site, for example, your IT team will be getting redundant alerts for things that are triggered across entities. I think that will happen whenever you have overlapping solutions,” according to Ian.
Second, set up alerts so you only receive notifications for actual threats. Part of this strategy may include focusing on targets rather than entry points, or on attack paths rather than siloed alerts. Attack chains posing the greatest immediate threat can then be defined and prioritized.
Cut Out Falls Positives
Finally, make sure you have a plan in place for dealing with false positives. Some false positives can be cut out of the equation simply by decreasing the number of security tools deployed. This is because multiple tools reporting the same issues can cause false positives and duplicate work for security teams.
Relying on a third party and trusting a managed security solution can be a big help towards filtering out the false positives and then escalate the issues that do need to be addressed. Managed service providers specialized in this field probably also have better filters to differentiate the issues that need attention from the non-issues.
Tactical Mitigation
“If you are monitoring a single system and the CPU reached 100% then crashed, that would probably send out five separate alerts, for 0 network activity and failed applications, etc., but the only alert that really matters is that the CPU is no longer functional,” says Ian.
Instead of attempting to resolve all alerts in the attack chain, begin by targeting the first domino in order to address the most immediate threat. This really is the most logical approach.
Consider Managed Security Services
Whether it’s in the cloud or in your on-site data center, security alerts are your team’s only way to identify and mitigate issues on a daily basis. For that reason, alerts can’t be ignored or overlooked. If your organization doesn’t have the time or manpower needed to really monitor and stay on top of cloud security alerts, then managed cloud security is the best option.
Follow AWA International for more, up-to-date cybersecurity advice.
How Can AWA Help Manage Your Cloud Security?
During penetration testing exercises, we are going to be triggering a lot of alerts. And some of the more critical alerts the company has probably never had triggered before (thankfully). We can give our clients the ability to see the alerts that are critical and which indicate an active attack so that their team can understand which alerts need to be escalated in real-life situations.
A lot of companies implement alerting solutions in response to compliance obligations, either regulatory, framework, or contractual obligations. For clients that have a lot of compliance requirements – for example ISO, PCI, and SOC – all of those have different logging and alerting requirements. AWA can help interpret the particular compliance standards as they relate to cloud alerts and your infrastructure so that they are effective, without being redundant. We are also able to help these clients to consolidate and configure alerts in a way that meets those different framework requirements.
