Want to fight alert fatigue (in SOC)? Do this...
Alert fatigue happens when a soc analyst ends up looking at too many alerts, resulting in missing crucial alerts. So, what's the way out? Read on.
Security Operations Center (SOC) is an important part of any defensive infrastructure.
It is only natural to create alerts for use-cases that an organization deem important. However, alert fatigue could kick-in.
Alert fatigue happens when a soc analyst ends up looking at so many alerts, that his/ her ability to decide on a suitable action is hampered.
This puts the organisation at risk. The analyst may miss a crucial alert. However, the analyst didn't do it on purpose. he/ she just got fatigued by looking at so many alerts in a day.
So, what's the way out?
one trick could be to name your alerts so that they scream at you to pay attention. e.g., imagine an alert titled in the format below: -
'device control'-'your favourite AV'-'a removable storage device was inserted'
compared to the alert title below: -
'someone inserted a USB'
Which one screams at you? Which title doesn't need you to understand/ de-cipher the meaning?
At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.
Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r