Alert Fatigue: Tips for Reducing and Prioritizing Cyber Alerts at SMBs
If you have an EDR or SIEM and don’t have dedicated people to monitor it, you may be so inundated with alerts that you’re adding them to your ever-growing backlog list — or ignoring them.
Many smaller businesses don’t have a dedicated cyber team at all, let alone someone monitoring and investigating alerts. That was true even before remote working introduced loads of new endpoints and added complexity.
Even IT teams supporting small businesses with 25 or fewer employees can get inundated with notifications and alerts every day. So it’s no surprise that some security professionals say their EDR or SIEM is driving them crazy.
When IT teams are pinged with more cyber alerts than they could possibly run down, it adds up to alert fatigue and ongoing stress. And staffing a 24/7 SOC to monitor, triage, and investigate the alerts isn’t a realistic possibility for many SMBs.
Adding to the confusion, many EDR and SIEM alerts are just noise. By design, SIEMs aggregate security and log data from many sources and EDRs alert on not just malicious behavior, but also behavior that is anomalous or suspicious. If the behavior was known to be malicious with high confidence, EDR would just block it. But the purpose of SIEMs and EDR is to provide greater visibility for security teams and at the end of the day it’s up to you to figure out whether the activity is just unexpected or actually a problem.
So how do you prioritize which alerts to take action on? While having a SOC or outsourcing to an MDR is the gold standard, there are a few actions you can take to reduce the noise and focus on the alerts most likely to matter.
When IT teams are pinged with more cyber alerts than they could possibly run down, it adds up to alert fatigue and ongoing stress.
Tips for prioritizing EDR and SIEM alerts
Collaborate with your business to see what matters: You may not know which systems can impact revenue most in the short- and long-term. Finding out more from operations leaders about how your business works, or what can lead to costly business interruption or theft of confidential information can help you figure out which alerts to prioritize investigating.
Take the time to tune your tools: When you set up your EDR or SIEM, spend time analyzing the alerts coming in so you can decide which ones are consistently false positives. Then fine-tune your systems to mute or reduce the severity of those alerts. Get help from the vendor or your MSP to be sure you eliminate consistent false positives that will otherwise distract you from important alerts.
Educate the teams who are contributing to alerts: If there’s a specific team or group of people who always seem to be triggering alerts — to the point where you’ve become complacent — it’s time to amp up their training or improve their processes. The time you proactively invest in their education and tuning will reduce alerts and threats, and save time in the long run.
Finding out more from operations leaders about how your business works, or what can lead to costly business interruption or theft of confidential information can help you figure out which alerts to prioritize investigating.
Tips for prioritizing vulnerability notifications
Take threat scores with a grain of salt: CVSS scores are static against a security landscape that is ever changing. While scores can provide some insight into the potential impact of a vulnerability, they can also overstate or understate the actual risk which may change over time. Additional data sources such as CISA’s Known Exploited Vulnerability (KEV) catalog can help increase the priority of a particular CVE for an overloaded team.
The Coalition Exploit Scoring System uses dynamic scoring, including KEV and many other sources, to help security managers evaluate new CVEs and their changing risk over time.
Consider the source and technology: If you get a vulnerability notification from a trusted source like your MDR provider or cyber-insurer, they have likely confirmed that you’re at risk. Read the notification carefully. If it says you are vulnerable, it’s imperative to resolve ASAP. If it says you may be vulnerable, first analyze the information and see if you can confirm if you are vulnerable or not. This may require looking at the firmware or model of a system you are currently running, or noticing that the vulnerability in question affects only Windows and your system is running Linux, for example. In cases like these, you may conclude that the alert can be deprioritized.
Get ahead of cyber alerts
Understanding which alerts and vulnerabilities matter most — and reducing the volume of alerts — is a great start to finding more time in your day for long-term strategic work. And getting ahead of threats will help reduce alerts and risk.
Invest heavily in training your users: When people have better awareness of phishing tactics and unsafe behaviors, you’re going to see a reduction in alerts and threats.
Get alignment on what matters: You don’t make all the financial decisions and you shouldn’t be responsible for the outcomes of failing to invest in more staff, tools or services to mitigate risk. Ensure that you have done a good job communicating cybersecurity trade-offs and finding out what matters most to your company. Getting on the same page with business stakeholders is a key step in figuring out which alerts to spend your time on first.
Do you have the time?
If you’re not staffed to analyze alerts, they aren’t adding value to your security posture or helping you defend your company. Prioritization can only help if you have time to understand your biggest threats and align your processes to filter in the right alerts.
Many small-to-medium businesses don’t have that kind of capacity — especially when IT leaders are running security with no dedicated staff at all. Getting hit with a cyber attack isn’t a matter of if but when, and how fast you respond to evict the threat actors from your systems will determine whether you’ve dodged a bullet or are seriously impacted and doing months of cleanup.
Getting hit with a cyber attack isn’t a matter of if but when, and how fast you respond to evict the threat actors from your systems will determine whether you’ve dodged a bullet or are seriously impacted and doing months of cleanup.
If that feels like you, and you don’t have the budget to stand up a SOC, it may be wise to think about outsourcing to an MDR service with 24-hour staff and lots of insight into what threats matter — because they have the time to keep up with all the security reports you’re not reading.
In our next blog, we share some thoughts on how cyber leaders can up their strategy game — not just to improve long-term security posture but also to add value to your company’s bottom line.