Alert Fatigue Puts Your Organization at Risk; Here’s What to do about it

Originally featured in Cyber Defense Magazine. Read the article here.

By Derek Nugent, Vice President Sales, Marketing & Customer Success at Difenda

Alerts, notifications, and non-stop calls from shady telemarketers pitching extended warranties – we all get more alerts each day than we can manage. For security professionals, the flood of alerts is even worse, much worse, extending to the essential tools they need to do their jobs.

The negative impacts of this deluge of alerts are felt anytime an overworked security professional suffering from “alert fatigue” neglects to block an attacker or detect malware because the signals were ignored or simply lost amidst the noise.

What Causes Alert Fatigue?

There are five main drivers of alert fatigue:

  • Security Technology Creep
  • Explosion of Automated Attacks
  • Ineffective Configuration and Use of Tools
  • Global Threat Landscape Events
  • Limited Resources to Devote to the Problem

Each new layer of security that businesses add to address evolving security risks generates its own stream of notifications, alerts, and alarms. Some are actionable, many are not. Antivirus, IPS software, and firewalls, to name only a few layers, all generate alerts that tend to be poorly correlated.

Due to the unbalanced nature of security defense vs. cyber-attackers on offense, security solutions tend to be overly sensitive by design, which makes alert fatigue inevitable. After all, attackers need only be successful once in order to severely damage a business, while the organization’s security team must ward off attacks 24x7x365 to be successful.

As a result, security analysts, who are already coping with too many responsibilities and too few resources, must constantly cope with alert fatigue, which leads to critical alerts being missed at an alarmingly high rate. Alert overload not only increases your organization’s overall cybersecurity risks, but also results in low job satisfaction and high turnover for burned-out employees.

COVID-19, Digital Transformation Drive Spike in Alerts

When experts study enterprise security, they find a few troubling trends that directly cause an increase of alert overload. First, as enterprises continue to migrate applications and data to the cloud as part of digital transformation initiatives, new security protections are added, often from new vendors.

The Cloud Security Alliance’s recent report, “State of Cloud Security: Concerns, Challenges,

and Incidents,” found that as remote workforces grew, so too did the reliance on additional cloud-delivered security tools and virtual firewalls. The report found that “the use of cloud providers’ additional security controls jumped from 58% in 2019 to 71% in 2021.”

The report’s authors believe that due to the current health crisis and the dramatic increase in remote work, many organizations are unable to secure their networks – which are often hybrid ones with a mix of legacy on-premises, public cloud, and private cloud infrastructure – using only traditional tools. Therefore, organizations have had no choice but to add new security controls, each of which generates new alerts.

More than 5000 Daily Security Alerts and that Was Before COVID

Now, consider that before the pandemic hit Cisco found in its “2017 Annual Cybersecurity Report” that 44% of security operations managers were already inundated with more than 5000 security alerts per day. In other words, alert fatigue was the new normal before remote workforces exploded and digital transformation and cloud migration initiatives accelerated.

The study also found that most companies used more than five security products in their environment, and those products often came from more than five security vendors. A full 65% of enterprises surveyed used six or more security products, while more than half (55%) of those surveyed reported they had to respond to alerts from at least six different vendors.

A 2019 study by CCS Insights of 400 senior IT leaders found that in enterprises with more than 1,000 employees the thicket of tools security teams must manage is even more complicated. CCS Insights found that the average large business had more than 70 different security products from 35 different suppliers, and while most enterprises intend to consolidate security, the consolidation trend has yet to get started in any significant way.

As we start to emerge from the pandemic, security infrastructure isn’t getting any simpler and alert volumes aren’t getting any easier to manage.

According to a recent survey of nearly 400 security operations professionals (commissioned by Siemplify), 42% report that their alert volumes are higher now than before the pandemic, while 51% say investigating suspicious activities has become a much bigger challenge in remote and hybrid environments.

Unfortunately, a number of factors threaten to add to the problem of alert fatigue in the near-term. These include but are not limited to the normalization of remote and mobile workforces, the rise of state-sponsored malware and hacks related to Russia’s invasion of Ukraine, and easy access to and automation of sophisticated hacking tools. At the same time, entire classes of threats are on the rise, including critical infrastructure attacksransomwarecloud storage leaks, and business email compromise attacks (BECs).

Thus, the volume of alerts will continue to rise and so too will the probability that your security team will eventually miss something critical, leading to a hack, a costly data breach, or some other negative outcome.

Unfortunately, another thing on the rise in parallel to alert overload is the cost of those negative outcomes. For instance, IBM and the Ponemon Institute’s annual “Cost of a Data Breach Report” found that the cost of an average data breach rose from $3.86 million in 2020 to $4.24 million in 2021, the highest average total cost in the 17-year history of the report.

How Microsoft Tackles Alert Fatigue

One shortcut to reducing alert fatigue is through vendor consolidation. For instance, for those organizations already dependent on Microsoft productivity tools and Azure Cloud, it makes sense to consolidate on that platform.

Soon after investing heavily in its Azure cloud platform, Microsoft also saw the need to tightly integrate security into its cloud stack, rather than layering it on afterwards. Thus, in recent years, Microsoft has invested $1 billion in security development, and their investment has already earned recognition from top-tier industry analysts. For instance, research firm Gartner lists Microsoft as a “leader” in a number of its Magic Quadrant reports, including end point protectionaccess managementCASB, and more.

Microsoft has also mapped out a strategy to avoid alert fatigue, a strategy that can help your organization regain control over alert flows.

Microsoft recommends adopting technologies such as Artificial Intelligence (AI) and Machine Learning (ML) to help find signal in the alert noise. Organizations should automate as many error-prone, repetitive tasks as possible in their SOCs, maintain up-to-date watch lists to prioritize activities from known bad actors, and adopt cloud-native solutions for better integration.

For organizations already struggling with limited IT resources, however, there are a few other steps you can follow to mitigate alert fatigue. The seven steps outlined below will help your organization alleviate alert fatigue in a way that should align with initiatives already underway, such as digital transformation and cloud migration.

7 Ways to Mitigate Alert Fatigue

  1. Consolidate security tools and vendors

Managing multiple security tools from multiple vendors becomes much easier if you take a platform approach to security and then build on that platform with best-in-class tools from the same vendor and/or its vetted partners.

At my company Difenda, we decided to build our SecOps-as-a-Service around Microsoft security tools not only because so many of them are best in class, but also because we believe that a consolidated security approach is the only way to keep ahead of the problems created by an increasingly complex threat environment.

Consolidated security stacks from single vendors and their certified partners will provide you with a unified dashboard that makes it easier to correlate various alerts, while also making it less likely that interoperability will undermine your defenses.

  1. Integrate that which cannot be consolidated

Whatever vendor you decide to use as the foundation of your security stack – Microsoft or otherwise – should be one with robust protections against a range of threats that also integrates easily with other tools, offering your organization an easy way to pull other alerts from third-party tools into a unified dashboard. Ideally, AI or ML capabilities will then automatically correlate those alerts with those from the rest of your security stack.

Look for certified partners who have been tested for interoperability, and in the rare cases you need something from outside of that ecosystem, be sure that the security tool offers open APIs. Before adopting any new tools, it’s also a good idea to research what existing users have to say about “vendor lock” and “lack of integration” before you commit to any new security vendors.

  1. Embrace continuous security improvements

The core tenets of the agile software development movement apply equally well to security, especially when it comes to reducing alert fatigue: prioritize individuals over tools, iterate quickly, receive and act on real-world feedback quickly, and more.

One core tenet of agile is especially important for security: continuous improvement.

The security threat landscape and tools monitoring it will never stop evolving, so organizations will need to adopt processes that enable them to adapt quickly to stay ahead of the threat curve.

  1. Automate, automate, automate

Automation is another key principle for achieving agile security operations, and it’s one that Microsoft stresses in its alert fatigue mitigation plan. For most large organizations, automation is necessary to even begin to alleviate alert fatigue. In a tight labor market, there simply are not enough skilled security experts available to tackle a problem of this scale unless manual, repetitive processes are automated. For alert fatigue, automating things like basic alert correlation, checking alerts against watch lists, and automatically ingesting patches and updates are all activities that should be automated to free up security professionals to focus on other activities, such as threat hunting and remediation.

  1. Include compliance as part of your automation efforts

In heavily regulated industries, many security alerts may directly tie back to your regulatory obligations, but even if your business doesn’t need to comply with laws like PCI-DSS or HIPPA, new consumer privacy laws, such as the GDPR in Europe and the CCPA in California, add obligations, and thus risks, for a large swath of the economy.

As you seek to automate security tasks, be sure to investigate ways to tie compliance into the process, which will streamline the overall process and reduce risks. For instance, Microsoft’s Purview Compliance Manager helps organizations integrate compliance with security operations, ensuring that they keep up with changing regulatory requirements and shifting risks.

  1. Intelligently prioritize incident response

Not all alerts are created equal, and even actionable ones don’t all carry the same level of risk. Thus, it’s important to prioritize the systems and applications that pose the biggest risks if breached or otherwise damaged.

Prioritizing known attack vectors, actively watching for known high-risk behaviors like privileged access, and maintaining an active watch list of known high-risk attackers will significantly cut down response times by focusing your team on the most pressing, high-risk threats.

As you investigate how to reduce alert fatigue, be sure your security provider offers a Configuration Management Database (CMDB) to provide real-time visibility into all of your networked assets. Ideally, your CMDB should automatically track the changing state of those assets (patches, updates, etc.) and correlate them with vulnerability scans and threat hunts.

  1. Outsource alert management to a security provider that offers Managed Detection and Response (MDR) services

A common cause of alert fatigue can be traced back to limited resources. If your organization does not have a large enough staff to manage SOC activities, you may have a hard time recruiting and retaining staff in this tight labor market.

In late 2020, a Microsoft survey revealed that 82% of respondents planned to add security staff in the coming year, while 81% also said that they needed to lower security costs. That’s a tough combination to manage.

How does an organization add staff, while also lowering security costs?

The only way to do that today without increasing your organization’s attack surface is to outsource costly security management burdens to service providers that are positioned to take advantage of economies of scale.

Managed Detection and Response (MDR) service providers focus on one thing and one thing only – security. They will have already optimized and automated much of the alert management process, and MDR service providers will also have more resources to hunt threats, integrate alerts from third parties, and detect zero-day threats before they cause problems.

However, when outsourcing MDR, it’s probably wise to find a security service provider that will also provide complementary security services, such as managed SIEM and managed endpoint protection. Prioritizing consolidation, certified partner solutions, and tested integrations will help you not only mitigate alert fatigue, but also will help you embrace agile security as a core part of your organization’s ongoing digital transformation efforts.

Learn more about how to maximize your existing investment in Microsoft Security or qualify for your complimentary roadmap today!

About Difenda 

Difenda is a privately held MDR SecOps-as-a-Service company founded in 2008. It delivers 24/7/365 security operations backed by modernized PCI, SOC 2 Type II, and ISO 27001 certified Cyber Command Centers (C3). Difenda’s managed practice is powered solely on the Microsoft Security product platform, and it holds the Gold Security Service Provider certification and an Advanced Specialization in Threat Protection with Microsoft. Difenda’s fully integrated, modular platform provides a range of advisory and offensive security services to complement customer-driven outcomes. For more information, visit and follow @DifendaShield. 

Our Partners

Penetration Testing Whitepaper

Threat Intelligence

Subscribe to receive insider threat intelligence from Difenda’s front line security analysts in our 24/7/365 SOC.

Ken Perkins

Biography coming soon.

Megan Miller

Megan Miller’s energy and passion for learning flow into all aspects of her work. As the Growth Manager, North America, she brings a background in sciences which she has transitioned to the tech sector in her role at Difenda.

With a Bachelors of Science in Geology, Megan is a lifelong learner who is voracious about learning anything she can get her hands on about cybersecurity. Her positive energy has built a sales strategy with a focus on expanding in the United States while nurturing the Canadian presence. She is responsible for recruiting and training the sales team. Together with the company’s leadership, she creates the sales process and the company’s product strategy in order to better serve the customer base. This ensures that our customers have a highly trained and highly motivated team to help them every step of the way, Megan has completed Microsoft SC-900 training and working towards mastering Microsoft.

Whether at work or play, Megan is fully committed. She took her love of hockey all the way to the semi-professional level as a competitive hockey player. Megan loves all things sports including water skiing, scuba diving, cycling, and snowboarding. She also enjoys time with family and reading about alternative energy, innovation, and cybersecurity.

Natasha Phanor

As the Microsoft Partner Manager at Difenda, Natasha Phanor is responsible for driving growth within our Microsoft Partnership. With six years in the industry, she offers a fresh, energetic approach, and the ability to focus on our customer’s needs throughout the entire process. Natasha has the innate ability to foresee customer needs and solve problems before they arise, which creates a smooth road for each customer she encounters.

As the recipient of the Outstanding Services Partner of the Year Award in 2018, it is clear that Natasha responds quickly to customer needs, creates a platform for understanding a customer’s business requirements, and walks them through the process to ensure their complete satisfaction.

In her spare time, Natasha is as energetic and passionate as she is on the job. A self-proclaimed foodie-extraordinaire, she enjoys dinner parties, traveling, downhill skiing, hiking, biking, and reading. Natasha has a Bachelor of Fine Arts, specializing in Dance, from Ryerson University.

Lisa Templeton

Lisa Templeton is the perfect combination of human empathy and technological prowess. In her role as People Services Manager, she takes care of our team members to support them in their daily work, as well as on their personal life paths. Happy employees make for happy customers, and Lisa excels in giving our employees the tools they need for success in order to become the best possible versions of themselves. Along with employee formation, she shines in the service delivery support domain to continuously improve the process. Her 24 years of experience in IT Operations and Service Management help her create quality and efficiency at Difenda.

Having attended the Information Systems Management certificate program at Ryerson University, and with various other certifications to her credit, Lisa is perceptive and innovative when it comes to information technology, but also sensitive to the needs of her human constituents. Responsible for achieving the first privately owned company HDI Support Center certification in Canada, she has also designed and implemented Service Management excellence programs and 24×7 IT Operations departments for multiple IT organizations, and has created corporate rewards and recognition programs to keep her employees engaged and motivated.

On the personal side, Lisa passionately supports the cause of breast cancer research, having lost her mother to the disease. She reads voraciously in her spare time, and enjoys the art of home renovation. The summer months also bring time on her boat and exploring new hiking trails.

Miranda McCurdy

Miranda McCurdy uses her myriad super powers in all aspects of her job and personal life. As the Marketing Director at Difenda, Miranda McCurdy brings over a decade of experience to the table, which includes expertise in all facets of operations, brand management, and content marketing, as well as a multitude of successful strategies for the ever-expanding digital world. She is an expert at simplifying the message the company is trying to send, filling in gaps in the information, and strengthening the content in order to create compelling narratives that strengthen the brand and developing programs that bring teams together.

With several Addy Awards issued by the American Advertising Federation Cleveland to her credit, and her never say die attitude, Miranda understands both the broader picture and the minute details that are needed to successfully market a product. With her abilities to harness both the talent needed to spread the message, as well as to create the message itself, she is an integral cog in the company’s ability to communicate with customers and other stakeholders.

When she is not building a brand, she shares her ability to fill the gaps in her community by volunteering with Habitat for Humanity, the Special Olympics, and the Charleston Food Bank. In her spare time, Miranda spends time with her family, enjoys fitness and health, paddle boarding, reading, and arts and crafts.

Juliana Zaremba

Connections are the name of the game for Juliana Zaremba. As Strategic Partnerships Director, she is responsible for Difenda’s channel partnerships and the development and ownership of the channel partner program. She is also responsible for the global Microsoft Partnership, including the creation of strategic plans with MSFT contacts that will facilitate the continued growth of the business and establish certification and training protocols in all security technologies. Her role is multifaceted, as she acquires partners, manages relationships with them, and develops strategies that will provide cutting edge security solutions to our customer base. Another integral aspect of her job is to facilitate growth.

With a Bachelor’s in Math from the University of Waterloo and 14 years of experience from her previous roles at Herjavec Group and CDW, her cutting edge focus and ability to develop long-lasting relationships and strategies provides world class security solutions to our customer base.

Juliana thrives on connections outside of work as well. She is a philanthropist and contributor with Women4Change based in Hamilton. This group of local women is passionate about supporting local causes, and she focuses her efforts around Women in STEM. She is also a member of Club Italia in Niagara Falls and supports their youth events throughout the year.

When not managing the Microsoft Global partnership, Juliana enjoys reading, often reading several books at once. Juliana enjoys exploring the Niagara Escarpment with her family, as well as sharing meals and experiences with her extended family. Juliana’s competitive nature has her always trying new things, like Whoop band challenges and Peloton.

Jeffry Jacob

Biography Coming Soon