Security pros are being flooded with unprioritized alerts each day, leading to alert fatigue, says Orca Security.

cloud security alerts.
Image: iStock

Being notified about potential security issues among your cloud providers is an important way to stay abreast of potential problems. But what happens when those notifications get out of hand? A report released Tuesday by cloud security provider Orca Security details how a flood of security alerts can easily trigger alert fatigue.

For its “2022 Cloud Security Alert Fatigue Report,” Orca commissioned a survey of 813 IT decision makers in five countries across 10 industries. Most of the respondents worked for companies with 200-1,000 employees with security teams ranging from one to 50 members. To qualify for the survey, the participants had to have at least 25 cloud assets on one of the major cloud services. Some 84% more than fit the bill, as they had more than 100 cloud assets.

SEE: Hiring Kit: Cloud Engineer (TechRepublic Premium)

The majority of those surveyed use Amazon AWS, Azure and Google Cloud, with others using IBM Cloud and Oracle Cloud. Most have adopted a multi-cloud approach by relying on more than one provider. And more than half use three or more public cloud platforms.

With that type of multi-cloud strategy and an influx of security alerts from each provider, 59% of the respondents said their security teams are hit with more than 500 alerts each day. Beyond the sheer volume, a fair number of the alerts are inaccurate or unnecessary. Among those surveyed, many said that 40% of the alerts are either false positives or of low priority.

Fewer than 10% of the alerts received are truly critical and in need of immediate attention. But finding those critical alerts amid all the unimportant ones requires time and effort. More than half of the respondents said that they spend at least 20% of their day reviewing alerts and determining which ones to prioritize.

Trying to juggle all these security alerts can easily lead to alert fatigue. Some 62% of those surveyed said that alert fatigue has contributed to job turnover, while 60% said that it has triggered internal friction. And because of the deluge, critical alerts are often missed, according to more than half of the respondents. Among those, 41% revealed that critical alerts are missed on a weekly basis, while 22% said that they’re missed every day.

“Security or alert fatigue from the sheer volume of alerts is well understood,” said John Morgan, CEO at security provider Confluera. “What many overlook is the resource and time needed to build a cohesive story of an attack in progress from the alerts. Modern attacks are not based on a single act or alerts. They consist of many actions that span weeks and months. When analyzed in isolation, individual alerts may appear benign. It is up to the security team to make sense of these alerts and identify them as part of a bigger cyber attack. Coupled with an ever increasing number of alerts, security teams are under tremendous pressure.”

To help security and IT professionals better grapple with alert fatigue, Orca offers the following tips:

  • Tool consolidation. Rather than continually adding more individual security tools, consolidate your existing tools across fewer platforms. Doing so helps cut down on duplicate alerts and lets you better prioritize the important alerts and potential security threats.
  • Demand more from your security tools. Ask your security vendors how they prioritize risk. Make sure they consider different factors, including severity, ease of exploitation, accessibility and potential business impact.
  • Protect the target instead of the entry point. Know where your most critical and sensitive data and assets are located and see if your security vendor prioritizes risks based on potential exposure to this data.
  • Focus on attack paths. Move away from investigating siloed alerts and toward investigating attack paths to help you determine which security issues should be addressed first.
  • Strategic remediation. Don’t try to respond to all alerts in an attack chain. Instead, fix the one that breaks the chain to address the immediate danger.

“Cloud security teams will have to work smarter, not harder,” Morgan said. “Investigating each and every security alert in a timely manner is simply not feasible as organizations accelerate their cloud and multi-cloud adoption. Without a new approach, security teams will miss events and alerts that are part of a bigger threat until it’s too late. As organizations embark on multi-cloud adoption, they have an opportunity to revisit the tools and processes to enable their security teams to work more efficiently.”