Guide to Deploying Data Alerts to Improve Strategic Cyber Incident Response& Management

Data alerts are on the rise. So, what’s the issue?

Undoubtedly, the intelligence issuing from data alerts has been crucial when responding to cyber disruptions and other incidents. But they’re such a thing as too much data.

Indeed, more than half (56 per cent) of large companies handle at least 1,000 alerts per dayⁱ. With this sharp rise, serious challenges have emerged to impede the effectiveness of data alerts – many of which have to do with the kind and quality of the alerts themselves.

The data in the alerts is often considered too granular to be actionable. Coming from noisy sources, the data is often wrong or misleading, leaving responders tilting at windmills or jumping at shadows.

One of the more acute challenges, though, is the frequency of data alerts. The increasing pace of automatic notifications has created alert fatigue.

What is alert fatigue?

Alert fatigue happens when an overwhelming number of alerts desensitizes responding individuals to individual alerts – even when those alerts carry valuable information.

The effects of alert fatigue were first studied in public healthcare after the introduction of clinical decision support systems. Researchers subsequently noted that: “Despite their benefits, clinical decision support systems are sometimes criticized for issuing excessive alerts about possible drug interactions that are of limited clinical usefulness…”ⁱⁱ. 

The excessive warnings caused “alert fatigue”ⁱⁱⁱ. In the clinical setting, that meant that physicians, receiving too many alerts, were inadvertently ignoring individual alerts that turned out to be useful. The result was a diminution in effectiveness of the systems themselves with “adverse consequences for patients”^iv. 

Cybersecurity experts, for their part, also picked up on alert fatigue. As in public healthcare, technology led to increasing numbers of alerts; the onset of COVID, in particular, exacerbated cyber risk, leading to a sharp rise in alerts^v.

How bad has the issue become?

In 2021, the International Data Corporation (IDC) issued a report on the effects of escalating cyber alerts on cyber response. 

The numbers weren’t pretty. Well over eight in every ten cyber security professionals say they are struggling to cope with the sheer volume of security alerts^vi. 

That’s no surprise. Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts^vii.

As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations^viii. Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.

Beyond that, alert fatigue is also creating tail risk for recruitment and retention. Employees, particularly Security Operations Center (SOC) staffers, acknowledge not wanting the thankless task of wading through innumerable data alerts, many of which turn out to be false herrings. 

Seeing this, employers have ramped up security spend on systems that produce even more alerts without having sufficient staff to triage actionable alerts. As a result, organizations now face the real risk of more missed real alerts, slow response times, and potentially infected systems.

Further information management challenges to effective cyber response 

Beyond data alerts, ineffective information management (more broadly) has long been cited as one of the starkest challenges to cyber incident response and management. It’s not hard to see why. Providing intelligence, coordination, and response that is accurate, timely, and effective requires the coordination of numerous processes, systems, and operators. 

This can be difficult. Requests might require novel approaches, integration of disparate data sources, including contributing information systems, and a wide variety of outputs. Other challenges include: 

• Incident response plans (IRPs) are too generic. Guidance on how to respond to cyber incidents is prolific. Government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) all publish their own expert advice. Organizations are free to make use of that guidance. But simply copying and pasting those plans wholesale, which many organizations do, might not be the best idea. By their very nature, one-size-fits-all IRPs aren’t tailored to the needs and specificities of individual organizations.
• Plans are untested. The rubber really hits the road for these generic IRPs during a crisis. Generic plans are less likely to be tested before a real-world incident, where regular testing would expose flaws in assumptions. Oftentimes, customized plans aren’t tested, either. Which means many haven’t been updated to account for the transition to remote working, where key personnel are geographically dispersed, unable to review logs, detect attacks, respond to and recover from incidents as they might have formerly.
• Information doesn’t get to the right people at the right time. These arrangements also pose grave communication and collaboration challenges for effective cyber incident response, though it’s not as if information easily got to the right people at the right time before the pandemic. Oftentimes, when data was made available to stakeholders, vital information was strewn across hundreds of emails – often duplicative, making it well-nigh impossible for stakeholders to task effectively throughout the lifecycle of a cyber incident.

Digital technology solutions to address alert fatigue and other information management challenges

What can be done? 

Just as the wrong technology can exacerbate alert fatigue, the right solution can mitigate these negative effects, ensuring that actionable data alerts get through in a format that incentivizes speedy triaging. 

Indeed, the solutions that have gotten data alerts right (actionable alerts get through; false leads stay out) have managed to adopt the appropriate information management framework, i.e., they deploy information management frameworks (or triggers) leading to the following outcomes:

• Increased specificity of alerts which reduces inconsequential alerts
• Tiering of alerts by severity and priority, e.g., alerts are customized to notify workers in a particular way to help distinguish between alert types
• Consolidation of redundant alerts
• Rendering alerts more actionable, by eliminating vague alerts that take too much time and energy to triage
• Continuous review of the alerts program itself, to detect whether alerts have been missed, thresholds are too high or low, and/or if employees have become desensitized

The technical modality at play, here, is powerful workflow automation, which helps to aggregate and visualize alerts, thereby accelerating investigation speeds and response times^ix.

The flexible, digital solutions which boast such information-management modalities work by capturing and consuming information from multiple sources, to provide a real-time common operating picture of the task or operation at hand. 

Leveraging powerful, yet easy-to-set-up workflows, these solutions control and automate management processes and standard operating procedures, keeping the right stakeholders informed across multiple communications mediums. Analytics and reporting tools then ensure that decision-makers have the correct information in the best available format, when they need it. 

The solution also tracks tasks to ensure that the right actions are taken and followed through, helping you to assign, manage, and track resources. 

What’s more, the system provides a case management framework, orchestrating information flows throughout the organization, providing consistency where multiple systems, sources, and processes are employed, and enabling the secure exchange of information and coordination of resources across multiple stakeholders.

Further benefits include:

• Reinforce intelligence tasking and response with an auditable record of changes
• Powerful workflow builder to automate review, approval, escalations, and interactions across the organisation and externally
• Ability to relate assets, events, contacts to provide a complete picture of requests, incidents, and tasks, including mapping for geospatial information, timelines for understanding changes and progressions in context, as well as alerts to automatically flag issues for further attention
• Configurable dashboards that provide an executive view of progress, emerging issues and crises
• Support for scalable processes to handle routine or commodity threats through to Advanced Persistent Threats (APT)
• Support for intelligence gathering for entities of interest including evidence gathering and multi-party coordination
• Configurable security model to accommodate low privilege users, such as third-party IT staff to log threats and incidents or receive reports without gaining access to more sensitive information
• Asset inventory and logging to highlight prioritised assets or other high impact items. 

Integration options to ensure the right information gets through at the right time

And there’s more. The genius of these solutions is that they offer a full range of integration options, making it easy to connect and synchronize data and plug in customer systems. 

The Noggin platform, for examples, integrates with ERPs and CRMs, as well as other service management and cyber security systems. When it comes to actionable data alerts operational security management, relevant Noggin integrations include:

• For security threats. Integrating with Noggin, Signal is an open-source intelligence tool for security teams who may deal with disruptive or unexpected events. Customers monitor multiple online data sources with a simple, easy-touse interface, with Signal providing relevant, actionable information in real time. And so, with Signal, you can: 
  – Identify emerging threats faster
  – Receive real time alerts
  – Monitory developing situations 
• For event and risk detection. Integrating with Noggin, the Dataminr AI platform detects the most relevant, high-impact events and emerging risks in real time – so customers can respond with speed and confidence. The platform enables a diverse customer base to manage crises more effectively:
   – Businesses can identify and respond to emerging risks across the enterprise, with the earliest indicators of business-critical information about risks to people, brands, and physical and virtual assets.
  – Public sector entities can respond to realtime events faster, know where to deploy first responders, and provide aid to citizens on the ground within minutes.
• For IT ops. Integrating with Noggin, PagerDuty provides a source of truth and coordination for real-time operations and major IT disruptions, useful in the following business cases:
  – IT on-call management
  – Operational analytics
  – IT incident response
  – IT team activation and coordination
  – Automated IT incident resolution 

Finally, alert fatigue is on the rise with personnel increasingly tuning out automatic notifications from noisy data sources. Response agencies, though, worry staffers are throwing out the baby with the bath water as actionable alerts are getting ignored, too.

What’s the answer? Disruption management platforms, like Noggin, have the information management capacity to make data alerts actionable through powerful (yet configurable) workflows that can be tailored to your organization’s business processes. 

What’s more, these platforms come equipped with integration options, making it easy to connect and synchronize rich data sources for security threats, event and risk detection, as well as IT ops, with the end result that the right information gets in at the right time, making enterprise resilience simple.

Sources

^i. Staff, Dark Reading: 56% of Large Companies Handle 1,000+ Security Alerts Each Day. Available at https://www.darkreading.com/risk/56-of-largecompanies-handle-1-000-security-alerts-each-day. 

^ii. Aaron S Kesselheim et al, Health Affairs: Clinical Decision Support Systems Could Be Modified To Reduce ‘Alert Fatigue’ While Still Minimizing The Risk Of Litigation. Available at https://www.researchgate.net/profile/Kathrin-Cresswell/publication/51858562_Clinical_Decision_Support_Systems_ Could_Be_Modified_To_Reduce_’Alert_Fatigue’_While_Still_Minimizing_The_Risk_Of_Litigation/links/0deec51b6ea2099aba000000/Clinical-DecisionSupport-Systems-Could-Be-Modified-To-Reduce-Alert-Fatigue-While-Still-Minimizing-The-Risk-Of-Litigation.pdf

^iii. Ibid.

^iv. Ibid. 

^v. Deloitte: Impact of COVID-19 on Cybersecurity. Available at https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html.

^vi. Paul Kelly, Open Access Government: Cybersecurity strategies: fighting alert fatigue and building resilience. Available at https://www.openaccessgovernment.org/fighting-alert-fatigue-and-building-resilient-cybersecurity-strategies/139904/. 

vii. Edward Segal, Deloitte: Impact of COVID-19 on Cybersecurity. Available at https://www.forbes.com/sites/edwardsegal/2021/11/08/alert-fatigue-canlead-to-missed-cyber-threats-and-staff retentionrecruitment-issues-study/?sh=1f2f3c9135c9.

^viii. Ibid. 

ix. Alexander S. Gillis, Tech Target: Alert Fatigue. Available at https://www.techtarget.com/whatis/definition/alert-fatigue