Alert Fatigue: What Pavlov’s Dogs Can Teach Us About Security
You probably know about the classical conditioning experiment Pavlov’s Dogs. It demonstrated that when a potent stimulus (e.g. food) is paired with a previously neutral stimulus (e.g. a bell), over time it will begin to elicit a response (e.g. salivating) to the previously neutral stimulus (bell).
However, when the bell starts being used repeatedly without the reward of food, the response eventually dulls, and the dogs no longer respond with the same intensity.
If you work in security, this might sound eerily familiar….
Classical Conditioning in Security
Alert fatigue is a classic case of Pavlovian response. When security tools beep and ping all day long, at first it seems like a good thing. They’re working! They’re keeping us protected! But over time, as dozens and then hundreds of alerts come in—many of them false positives or just system status updates—it becomes impossible to jump into action for every single alert.
Companies large and small alike can fall victim to this. The Target breach is a prime example of alert fatigue leading to disastrous consequences. After Target’s security monitoring tool detected the onslaught of malicious activity, their first-line responders, a team in Bangalore, sent them along to the security team in the U.S. The alerts were simply ignored.
Whether it was because the team was already overwhelmed with alerts and didn’t have time to investigate or just didn’t view the alerts as a credible threat remains unknown. Either way, alert fatigue was the ultimate reason why such a large-scale attack was successful.
You see, as alerts pile up, our reaction times diminish and our ability to take any given alert seriously is decimated. That means critical alerts that do require attention are lost in the sea of noise. Attacks which could have been stopped are missed and go on to damage the network. Welcome to alert fatigue.
Security Alerting: A Careful Balancing Act
Of course, we don’t want to throw the baby out with the bathwater. There’s no question that we need security alerts. They are a key function all security teams must have in their arsenals. Alerts are how detection systems let us know when something’s gone wrong.
But most security tools out there aren’t able to separate false positives from true positives, resulting in two problems:
- You get too many alerts, few of which are indicative of real threats deserving of attention. These are not only time-consuming to sift through, but a big contributor to alert fatigue.
- You can’t turn on automated blocking when you know there are false positives in the mix. If you do, you may end up blocking legitimate sites. This can prohibit employees from getting their work done, causing confusion and frustration.
Both of these issues can suck up a lot of time from your security team, time that could be better spent conducting deeper investigations and responding to attacks. Worse, in the time it takes to identify a real threat among all the alerts, an infection can make its way in and do its damage, requiring even more time to clean up the mess on top of the time already spent on the alerts themselves.
To strike the right balance in your security alerting capabilities, look to a tool that can separate out false positives and automate the blocking of real threats. Intrusion detection systems often can’t do this, ensuing a mountain of alerts that you have to go through manually to find the needle in the haystack.
A tool like Strongarm, on the other hand, is able to gather context from your systems and networks to determine real threats, automatically throwing out the false positives and blocking the real attacks, so that all you have to do is clean up the machine(s) infected by the few real threats.
Why You Won’t See a Lot of Alerts With Strongarm
Dealing with fewer alerts day-to-day is a goal I think we can all hang our hats on. After all, responding to alerts is only one of many tasks IT and security pros have to do day-in and day-out . They also need to focus on patching servers, setting up new employee workstations, dealing with the latest zero-day threat… the list goes on.
While the constant beeping of alerts may at first make you feel secure, the reality is that many of those alerts (even the “real” ones) will go uninvestigated because of the sheer volume and the many false positives buried within.
You won’t see a lot of alerts with Strongarm because it is built to minimize false positives. Our goal is for every single alert you get from Strongarm to be a real threat, one that actually requires action. Strongarm’s alerts are unique and go one step further in that they typically specify which device needs to be investigated and cleaned up.
This level of distinction means you have the ability to immediately stop an infection from doing damage without an analyst having to write a rule or implement an action before stopping the attack. Oftentimes, Strongarm can also provide more color to other alerts, such as from your firewall, helping you to see, catch, and respond to threats faster.
Think of it as an automated protective layer.
We aren’t perfect, of course, but our team of malware researchers is constantly updating the list of domains and subdomains that are known perpetrators of malware, so that you can rest assured: if Strongarm alerts you, it actually requires investigation.
The rest of the time, you can take the silence as what it is: proof you are safe.
Automating Your Way to More Efficient Malware Protection
With fewer but more accurate alerts, security and IT teams can become far more effective at stopping attackers in their tracks before they can do damage to businesses.
Taking an automated approach to malware detection and protection, your team will save hours, days, or even months that were previously spent dealing with malware. This means you can finally optimize your team to work on the high-value tasks, such as responding to threats and proactively securing your organization from future threats.
That’s a 0 for our adversaries, and a 1 for us defenders.
Strongarm is free until after your first attack.