Alert fatigue is causing an array of problems, from employee burnout and turnover to the overlooking of important alerts due to lack of time. There is no doubt that the frequency of alerts a Global Operations Center (GSOC) receives on a daily basis has become overwhelming. Team members alone are simply unable to review, organize, and process such massive amounts of alerts and data. Beyond the difficulty of simply keeping up, employees facing alert fatigue often get distracted by false positives and low-priority pings.
While the quantity of data available isn’t going anywhere, there are steps every company can and should take to make sure that superior awareness does not lead to alert fatigue or unhappy team members. The first step is to drill down on the mission of the organization and pinpoint exactly what it is trying to protect. Security leaders need to be clear on the outputs they want to achieve and ensure the strategy of the GSOC ladders up to this mission.
The next step is the process of methodically confirming the data sets and search strings that are required, and ensuring the underlying methodologies are technically sound. In some cases, organizations may have purchased access to powerful platforms that are not being used correctly, which is resulting in an overwhelming quantity of alerts, rather than quality alerts.
The objective is to make sure security leaders are pulling the data they want, rather than being overloaded with data that’s pushed to them.
But in the end, the best technology will do more than just filter and soft alerts. It will flag the most critical alerts, sending those to be verified and contextualized by the most critical assets in the security apparatus: people.