The average managed security service provider (MSSP) doesn’t want more tools. Their biggest issue arguably is that there are too many tools. Each piece of security hardware and software they deploy generates alerts concerning various security conditions. Most of the alerts generated are what are known as “false positives” that wind up wasting time and resources because each one needs to be individually checked. Before long, alert fatigue starts to set in and alerts start to be ignored. Of course, the fellow who wrote Murphy’s Law is now working in cybersecurity, so it’s always going to be one of the alerts that gets ignored that winds up flagging the cybersecurity attack that gets missed.
Insight into security alert fatigue
A limited survey of 50 MSSPs published this week by Advanced Threat Analytics (ATA), a provider of security event orchestration software, illustrates the scope of the alert fatigue challenge. A total of 44 percent of respondents report a 50 percent or higher false-positive rate. In all, 22 percent experience a 50-75 percent false-positive rate while the other 22 percent see rates ranging between 75 and 99 percent.
All those false positives have a material impact on the business. Nearly 45 percent of respondents investigate ten or more alerts each day. A total of 22 percent of respondents investigate between 10 and 20 alerts each day, 11 percent investigate 20-40 daily, and another 11 percent investigate 50 or more.
On average, 64 percent say it takes ten minutes or more to investigate each alert. A third (33 percent) say it takes between 10 and 20 minutes to investigate each alert, 20 percent say it takes between 20 and 30 minutes, and 11 percent state it takes 30 minutes or more.
Unfortunately, when MSSPs have too many alerts for analysts to process they try to reduce the signal to noise ration by tuning specific alerting features or thresholds to reduce alert volume (67 percent); ignore certain categories of alerts (38 percent); turn off high-volume alerting features (27 percent); and hire more analysts (24 percent). Even if they can hire those analysts, that latter option increases costs in a way that negatively impact profitability.
When MSSPs have too many alerts for analysts to process they try to reduce the signal to noise ration by tuning specific alerting features or thresholds to reduce alert volume.
How this impacts MSSPs
Most MSSPs are well acquainted with alert fatigue. It’s the primary cause of burnout among cybersecurity professionals. Even the best and brightest can be affected. Because of this issue savvy MSSPs make sure they spell their teams. Each alert generates a modest amount of stress. Compound that stress over time and it’s almost inevitable that cybersecurity professionals are eventually going to decide to one day move on. That leaves the MSSPs scrambling to hire new talent that at a minimum requires six months to train.
Many MSSPs naturally consider turnover to be part of the cost of doing business. But that cost is clearly a lot higher than it should be because of the number of false positives being generated. Worse yet, all those alerts conspire to inure cybersecurity professionals to real threats. It’s unlikely anyone can eliminate every false positive being generated. But the MSSP that focuses successfully reduce the number of false positives being generated will be much further ahead over the long term than rivals that chase their proverbial cybersecurity tails to the point of exhaustion.
Photo: Rawpixel.com / Shutterstock.