A new study from Orca Security indicates that the sheer number of reports that cloud security teams deal with are becoming a serious problem in and of themselves, and that “alert fatigue” is causing critical alerts to be missed at an alarming rate.
A global survey of over 800 IT professionals reveals that almost 60% of respondents are receiving over 500 cloud security alerts per day, and that the alert fatigue created by this volume of work is causing 55% of these organizations to miss critical alerts on either a daily or weekly basis. 62% of respondents also say that alert fatigue is contributing to turnover, and 60% say it is causing internal friction in the company.
2022 cloud security alert fatigue report: Over half of companies overwhelmed by volume, suffering from inattention and stress
The issue is not just the sheer volume of cloud security alerts, but that they are also unprioritized. Staff are not only facing this huge wall on the job each day, but are also asked to spend tremendous amounts of extra time in sorting them for remediation. Over half of companies (56%) say that security staff are spending at least 20% of each day prioritizing these alerts.
Burnout is being reported at high levels among IT professionals in the US, UK, France, Germany and Australia, across a broad variety of industries ranging from health care to finance. Alert fatigue is also common no matter what cloud service is being used, with all of the big names (AWS, Azure, Google, Oracle) represented among the survey respondents.
Another major factor in the development of alert fatigue is that a considerable chunk of the cloud security alerts turn out to be either meaningless or harmless, with 43% of organizations saying that at least 40% of their results are false positives and 81% saying that over 20% are bogus. Additionally, using 10 or more tools makes an organization 67% more likely to see over 1,000 alerts per day. This is not a new concept in general IT security, but it has ramped up in cloud security specifically because of the mass move to remote work prompted by the pandemic and the corresponding rapid adoption of cloud services to facilitate that.
55% of companies are now using at least three cloud providers, and 57% are using at least five cloud security tools. AWS and Azure are the most commonly-used services, followed by Google Cloud Platform, IBM Cloud and Oracle Cloud. In spite of the apparent high rate of false positives and the alert fatigue issues that the volume is causing, 95% nevertheless say that they are confident in the accuracy of their cloud security tools.
Some industries are suffering more than others. Financial services is apparently having the worst time of it, with 71% of its companies hitting more than 500 notifications per day and 63% of their security teams spending at least a fifth of each day on these alerts. In general, sectors that are more highly regulated for the handling of sensitive personal information are struggling the most with alert fatigue.
The problem is acute for all types of organizations, however, with 79% overall carrying over 500 open alerts at any given time. 25% of security teams are now up to spending 40% of their overall time dealing with these alerts, and 22% say they are missing critical alerts every day.
Gadi Naveh, Cyber Data Scientist at Canonic Security, believes that low value alerts may be more corrosive than most organizations realize: “Cloud environments are becoming increasingly composable, enabling users to connect thousands of third-party apps and add-ons across multiple interoperable cloud application platforms with limited security controls or governance policy checks. This creates an unmanageable workload to vet the applications, establish usage policy, and set the right controls for each app. Low value alerts are either non-actionable, or lack a measurable remediation solution. The result is a priority stack that doesn’t address the problem in a clearly defined component of the attack chain, depicting a scenario that in fact cannot be executed, which ultimately distracts from actual threats. The constant flood of alerts desensitizes teams into a false sense of security and erodes the value of alerts that require remediation. Over time this makes it virtually impossible to adopt a culture of urgency with measurable results.”
How can organizations address alert fatigue?
The report makes several recommendations for addressing alert fatigue and getting the volume of cloud security notifications under control. The first is in consolidating tooling: more security simply means more junk alerts being generated. The survey finds that those with at least 10 security tools are seeing the largest amount of false positives (over 40%). The authors also suggest taking a hard look at security vendors, demanding better accuracy and potentially parting ways if a tool is underperforming. Part of the issue here has been that the cloud security market is simply immature, but consolidated options on unified platforms are now beginning to emerge.
The report also suggests focusing on targets rather than entry points, and on attack paths rather than siloed alerts. Attack chains that pose the most immediate danger should also be identified and prioritized.
John Morgan, CEO at Confluera, sees a refocusing of security teams and a “work smarter” approach as the ultimate answer to the plague of alert fatigue: “Security teams act as the connective tissue between these networks and the unique security solutions. Understanding the nuance of each cloud service, training on multiple security tools with varying degree of security coverage all the while trying to enforce consistent security policies the entire network is a tall order for any security team … Security or alert fatigue from the sheer volume of alerts is well understood. What many overlook is the resource and time needed to build a cohesive story of an attack in progress from the alerts. Modern attacks are not based on a single act or alerts. They consist of many actions that span weeks and months. When analyzed in isolation, individual alerts may appear benign. It is up to the security team to make sense of these alerts and identify them as part of a bigger cyber attack. Coupled with an ever increasing number of alerts, security teams are under tremendous pressure. So, how will the constant deluge of security alerts continue to pose challenges for cloud security teams? Cloud security teams will have to work smarter, not harder. Investigating each and every security alert in a timely manner is simply not feasible as organizations accelerate their cloud and multi-cloud adoption. Without a new approach, security teams will miss events and alerts that are part of a bigger threat until it’s too late. As organizations embark on multi-cloud adoption, they have an opportunity to revisit the tools and processes to enable their security teams to work more efficiently.”
And Vishal Jain, Co-Founder and CTO at Valtix, notes that more efficient prioritization of the actual high threat alerts is not necessarily the magic elixir that will solve the entire problem: “The growth of multi-cloud adoption has driven the need for new security tooling that just layers on top of many existing on-prem tools. Each of these tools generates its own set of alerts and data. Security operations centers are now overwhelmed. At the same time, to control the cost, security teams attempt to do more with fewer employees. It becomes difficult to get a complete picture and the amount of information from all of these different data sources becomes overwhelming. The need to discover a security issue and find a “good” alert is not the only operational issue. Once a “good” alert is found, protection needs to be implemented to mitigate the exposure. Given a multi-cloud context, it can be very challenging to determine where to apply selected controls. And with different tools in each cloud, decisions on security tools configuration for each cloud need to be made. This all complicates the change management process and drives security team fatigue. As the recent survey suggests, to prevent a constant deluge of security alerts, enterprises have realized that tools across clouds need to be consolidated. Consolidation should happen not only for visibility and “good” alerts to be found but also for the ability to quickly apply the “right” protection mechanisms across multiple clouds once exposure is found. The ideal scenario for enterprises would be to use consolidated, multi-cloud security platforms that simplify the underlying task of managing security in the clouds while connecting visibility to the protection of workloads. In addition to driving workflow efficiency, these platforms enable a greater level of automation that can reduce needless alerts and manual efforts.”