Crisis Is "Desensitizing and Overwhelming" Cloud Security Teams

Even before the Ukraine crisis, 72% of cybersecurity professionals considered leaving their jobs because of stress and overwork. 

Adding to the burden are a high rate of false positive security alerts, often for minor issues, which add to workload, deflect attention from more serious matters and contribute to burnout, which further reduces security. More and better technology and increased staffing are required to address the problem. JL 

Kyle Alspach reports in Venture Beat, image Cloud Pro:

59% of respondents report they receive more than 500 alerts about cloud security per day. 38% report receiving more than 1,000 alerts each day. “Alert fatigue” is a problem for cybersecurity teams, having detrimental results from the security of cloud environments to staff retention. 80% said four out of five alerts are false positives. Many security tools are not able to separate the “wheat from the chaff” and overreport issues. “When security teams are flooded with low-priority alerts containing a high proportion of false positives, they become overwhelmed and desensitized and start ignoring alerts.”

While it’s well-known that “alert fatigue” is a problem for many cybersecurity teams, the issue is having detrimental results in everything from the security of cloud environments to staff retention, according to a new survey.

Orca Security, a cloud security startup that commissioned the new survey, says it’s the first research to specifically focus on the problem of public cloud security alert fatigue. The term refers to the fact that many security teams have become overloaded with alerts, generated by their security tools, which the teams must respond to.

Among the findings of the 2022 Cloud Security Alert Fatigue Report is that 59% of respondents report that they receive more than 500 alerts about public cloud security per day. Thirty-eight percent report receiving more than 1,000 of these alerts each day.

And many of the alerts do not actually represent a cyber threat. A significant proportion of respondents — 43% — said that more than 40% of public cloud security alerts are false positives. Four out of five respondents said that more than 20% of their alerts are false positives, meanwhile.

Taken together, the result is that security for the many organizations is suffering, as real cyberattacks are being missed, according to Orca Security.

“When security teams are flooded with hundreds of low-priority alerts containing a high proportion of false positives, they become overwhelmed and desensitized and start ignoring alerts,” said Avi Shua, cofounder and CEO at Orca Security, in an email to VentureBeat. “This leads to alerts that actually do deserve attention getting missed, negatively impacting a company’s cloud security posture and opening the door to potential attacks and breaches.”

Many security tools are not able to separate the “wheat from the chaff” and generally overreport issues, Shua said. This is because they lack the contextual insight needed for effective risk prioritization, he said.

Instead, these tools must take a narrow view of risk by only looking at the severity and exploitability, “without regard for risks in other levels of the technology stack and how they could potentially be combined to create dangerous attack paths,” Shua said.

Indeed, 55% of respondents said their teams are missing critical alerts — risks that could endanger the organization’s critical assets, including personal identifiable information.

Tool sprawl

Part of the issue is the large number of tools that many organizations now use to secure their public cloud environments, which are increasingly spread across multiple clouds, according to the survey.

Fifty-five percent of respondents said they use at least three different cloud providers, and 57% said they use at least five different tools for cloud security.

This issue of “tool sprawl” is due in part to the fact that until recently, there weren’t that many consolidated cloud security tools, Shua said. The cloud security market has typically seen many point solutions that were each focused on their own areas — such as cloud workloads, cloud configurations or cloud infrastructure entitlements, he said.

“The current cloud security market is now maturing and we are expecting to see a growing trend towards tool consolidation,” Shua said, noting that Gartner is now recommending that organizations start replacing point solutions with unified platforms.

Another part of the problem is that many security tools just don’t integrate very well.

“The different security tools don’t work together and create duplicate alerts regarding the same issues,” Shua said. “This creates even more work for security teams since they need to correlate alerts and eliminate the duplicate ones.”

Ultimately, in addition to affecting an organization’s overall security, the issues of alert fatigue also lead to burnout, according to the survey. Sixty-two percent of respondents said that alert fatigue has been a contributor to staff turnover, while 60% said that internal friction has been among the results.

The Cloud Security Alert Fatigue Report surveyed 813 IT decision makers, across 10 industries. The survey respondents were located in five countries — the U.S., Australia, Germany, France and the U.K.