May 19 2021

6 Ways for Higher Ed IT to Reduce ‘Alert Fatigue’

FireEye offers these tips and tricks to help universities minimize the number of false alerts they receive each day.

When IT security managers receive thousands of alerts per day, it’s easy to start ignoring them as queues fill up — especially considering that roughly 45 percent of those alerts are false positives.

A study by global market intelligence firm IDC and cybersecurity firm FireEye found that IT leaders are experiencing widespread “alert fatigue.” According to the report, 38 percent of information security analysts deal with overloaded security operations centers (SOCs) by ignoring certain kinds of alerts. Around 34 percent of IT security managers and 44 percent of service providers do the same.

“The worst thing you can do as an organization is waste your time responding to things that just don’t matter,” Daniel Slack, director of Mandiant Managed Defense, said at a FireEye webinar earlier this year.

To help IT departments reduce the number of false alerts they receive each day, here’s a look at some strategies based on the FireEye report “Nine Steps to Eliminate Alert Fatigue.”

1. Help Security Analysts by Using a Narrative-Driven Model

To fine-tune the types of alerts you want to receive, it is important to shift from an alert-driven security model to a narrative-driven one. This requires work queues to receive higher-value data that has more context.

After all, “each alert in the work queue is a snapshot, a moment in time,” the FireEye report notes. “It’s only a part of the overall story of what occurred. It’s one piece of what could be a very large puzzle.”

To create threat narratives for higher education security analysts, consider these tips from FireEye:

  • Collect the smallest amount of high-value data. The relevance of your data to security operations and incident response is key. 
  • Identify goals and priorities for detection. It is crucial to have a thorough understanding of which risks, goals and priorities are highest at your educational institution. (“Don’t get hacked” is far too broad of a goal.) Once you know your goals, you can prioritize the risks that jeopardize your most important assets — for example, COVID-19 research data.
  • Craft human language logic. This type of logic is designed to extract only the events relevant to your selected goals and priorities.
  • Convert the logic into targeted queries. Converting human language logic into precise queries can help colleges and universities get reliable, high-quality alerts with fewer false positives.
  • Repeat and refine this process. As higher education institutions identify new goals and priorities, they should repeat the process and adjust according to feedback from the incident response process.

This way, analysts can receive alerts with more context to help them make informed decisions. It can help make each alert feel less overwhelming.

RELATED: Address these risks in higher ed research projects.

2. Avoid Overly Complicated Data by Knowing Your Sources

Not all data sources are created equal.

Universities and colleges must be able to pinpoint which data sources are most relevant and valuable for their priorities.

As you distinguish these sources, you may even find blind spots in automated communication processes from multiple data sources.

MORE ON EDTECH: Learn how to proactively manage shadow IT.

 3. Weed out Noise by Creating Alerts for High-Priority Threats

After achieving an appropriate level of visibility, it’s time to take advantage of it. A next step may be to develop content that triggers alerts for all activities related to your university’s high-priority risks.

Update the default settings in your security solutions so that you are getting the more strategic,

higher-quality alerts you have created.

“Any activity that doesn’t fall into that realm should be ignored,” the FireEye report notes. “Why trigger alerts on activities you’ve already decided you aren’t concerned about? That would just create additional noise and complexity.”

4. Thoroughly Investigate Threats Through a Unified Work Queue

Studies have shown that multitasking is not effective — it can even lead to a decline in IQ.

To ensure IT employees are not looking into an overwhelming number of high-quality alerts at once, it is important to create a unified work queue for all alerts to flow through. This can help make sure each alert is properly investigated.

5. Automate to Improve Higher Ed SOC Processes

Some analysis steps — such as pulling contextual information from network forensics, endpoint forensics and mobile sources — can and should be automated.

It is also worth considering extended detection and response (XDR) solutions, which can help reduce threats and automate alert confirmations.

6. Provide Context and Threat Nature in Alerts

Understanding the context and nature of threats is critical for a narrative-driven model. Is the suspicious network activity likely caused by an innocent but incorrect configuration, or does the pattern resemble attacks from a particular ransomware group?

In many cases, intelligence about the type of activity is key to whittling down the alert queue — and improving response times to real threats.

PeopleImages/Getty Images