We just got back last Saturday from our annual family trip on the Cape. We had an amazing week of fun in the sun.
And why not? It’s hard to go wrong when the toughest decisions of the day are: Beach or pool in the morning? Where should we go to dinner? When should we get ice cream?
But that quickly changed on Saturday morning, the day we were scheduled to come home. Because at 5:13 AM, Rachel’s phone rang. It was a call from our alarm company.
“We detected a second-floor fire alarm in your house and have alerted the fire department.”
Uh oh. Rachel was pretty unnerved by the call. I, on the other hand, remained calm.
Is it because after years in cybersecurity, I have developed the steely, unflappable confidence of a secret agent?
No, but thank you. It’s because after years in cybersecurity, I know that most alerts are false alarms.
And, as it turned out, this one was as well. Our town’s fire department diligently checked it out and called to let us know everything was okay.
Alert Fatigue is Real
Alerts occur when something out of the ordinary takes place. That’s what’s supposed to happen.
The challenge, however, is that security tools are designed to err on the side of caution, flagging anything that might be suspicious to avoid missing real threats.
This casts a wide net but catches many harmless activities, too. If you tried to fix everything every time something “out of the ordinary” occurred, you wouldn’t get anything else done.
In cybersecurity, there are several reasons for so many false alarms. Some of the most significant include:
- Complex Environments. Modern IT environments include cloud services, on-premises networks, remote users, and third-party integrations. This complexity creates many data points and potential deviations from “normal,” triggering many alerts.
- Multiple Overlapping Tools. Organizations often use different security tools (EDR, SIEM, firewalls, etc.), each with their own alerting logic. This leads to duplicated or correlated alerts for the same underlying activity.
- Evolving Threat Landscape. Threat detection rules are updated frequently to keep up with new types of attacks. When past events suddenly match the new criteria, even more alerts are created.
In practice, with so many alerts going off all the time, a lot of businesses experience alert fatigue. Like car alarms we all ignore, organizations become desensitized to these.
It would be great if there were a systematic, intelligent way to simply dial down the sensitivity of alerts across all tools and functions. But even if everything were interconnected into one system, the amount of planning and execution required to correlate data and filter out the noise to find the signal is too much for the typical small or even medium size company to handle.
Multiple Vulnerabilities
A vulnerability is a weakness or flaw in a system — something that can be exploited by an attacker to gain unauthorized access, cause damage, or perform unintended actions.
And because there are potentially thousands of vulnerabilities in a cybersecurity environment, like alerts, managing these is another area that leads to information overload.
Here, too, prioritization is not obvious or easy. For example, a knight’s suit of armor with a hole in it is a vulnerability. It won’t necessarily lead to trouble … but a well-placed arrow could be catastrophic. On any given day, how much attention does it deserve?
Two common options:
CVE (Common Vulnerabilities and Exposures)
This public database assigns scores on a 1–10 scale to known software vulnerabilities. It’s a way to standardize tracking and prioritization and is certainly better than nothing.
But… it’s unaware of your specific environment and context; it’s compliance-driven rather than risk-driven; and it ignores asset value or business impact, potentially leading to prioritizing fixes in the wrong areas.
EPSS (Exploit Prediction Scoring System)
Unlike CVE, this data-driven risk score estimates the likelihood of a software vulnerability being exploited within a given time frame (usually 30 days). EPSS focuses on real-world exploit probability, which is more helpful in prioritizing fixes based on actual risk.
For example, if EPSS detects a significant increase in arrow-bearing sharpshooters and sales of poison arrows, patching the hole in that suit of armor would suddenly become more important.
Steps to Take
That’s great, but given how difficult it is to manage all the alerts and vulnerabilities, what should we do?
Calibrate alerts the best you can.
If there are alerts that your team is regularly ignoring, focus on the why. Can you turn them off? If not, should you really be ignoring them?
Calibrate your vulnerability management program.
Pay attention to the vulnerabilities being actively exploited by using measures such as EPSS, which is much more useful in practice than CVE.
Hire a MDR (Managed Detection Response) vendor.
Often referred to as a Security Operations Center, MDR tends to be the best option for a small or midsize business. These outsourced solutions monitor the behavior of your environment (e.g., your EDR solution, your network, your cloud hosting platforms), notify you if something out of the ordinary is detected, and take steps to contain the problem.
MDR moves the burden of tracking, detecting, correlating data, and prioritizing potential threats to a third party — one that is explicitly in the business of filtering out the noise and only alerting you when there is a signal worth paying attention to.
It’s not perfect either, but it’s a lot better than trying to manage this yourself with scarce internal resources.
Cut Through the Noise
Alert fatigue overwhelms security teams because cybersecurity tools trigger lots of false alarms, making genuine threats harder to spot. Managing vulnerabilities adds another layer of complexity as companies scramble to figure out where to focus attention.
With all the noise out there, the trick is figuring out what matters and what doesn’t — and getting the right help to stay on top of things.
Gotta run. The motion-activated security lights in my backyard just lit up which probably means… nothing.
