Connect with us

Hi, what are you looking for?


Network Security

Efficient Alert Management Lacking in Many Organizations: Report

Security alerts can be highly useful in protecting an organization against a data breach, but inefficient alert management can have serious consequences, a new report shows.

Security alerts can be highly useful in protecting an organization against a data breach, but inefficient alert management can have serious consequences, a new report shows.

The study, conducted by IDC on behalf of FireEye, has revealed that roughly 15% of global organizations face more than 50,000 security alerts each month. In the United States, 37% of organizations receive over 50,000 alerts, while nearly one third of them have to deal with between 10,000 and 49,999 alerts.

According to the report, 35% of the 500 surveyed enterprises spend as many as 500 hours per month dealing with security alerts, which means at least three full time positions are needed just for alert management.

The problem is that more than half of the alerts are false positives, and roughly one third of them are redundant across multiple threat detection platforms. However, only 42% of the respondents say they have automated systems in place for ignoring duplicate alerts, while the rest review them manually.

When it comes to addressing alerts, 75% of those surveyed said it takes them less than 5 hours to respond to critical alerts. On the other hand, 60% of respondents said moderate alert responses take between 6 and 12 hours, while 30% indicated that it takes more than one day to handle low priority alerts. This gives potential attackers enough time to cause damage.

Another issue highlighted in the report is that the volume of alerts might be masking quality problems. Almost half of respondents review the configuration of their security product every month in an effort to reduce alerts, but close to 80% of those who took part in the survey believe the quality of their alerts is either excellent or almost excellent. According to FireEye, this indicates a gap in how alert quality is perceived.

Roughly half of most companies’ IT security budget goes to alert monitoring. However, 75% of organizations don’t have dedicated staff for monitoring alerts, and only 35% of organizations outsource, the report shows.

According to a study published last week by the Ponemon Institute and Damballa, organizations in the United States spend 21,000 hours per year on false positives, which translates into nearly $1.3 million wasted each year because of inaccurate intelligence.

Advertisement. Scroll to continue reading.

“In resource-limited environments, every alert counts. Since most of us work in such environments, we need to ensure that we populate the work queue with only reliable, high fidelity, actionable alerts,” Joshua Goldfarb, Chief Security Strategist of FireEye’s Enterprise Forensics Group, said in a recent SecurityWeek column. “Fans of the conventional approach may say, ‘If I reduce from 100,000 alerts a day to 100 alerts a day, I may miss something.’ To those people, I would ask the following question: If you never look at 99% of your alerts, or you quickly dismiss them as false positives, what is the point of firing those alerts and what value do they add to security operations? Further, are you certain that you would not miss important alerts because their signal would be lost in the noise?”

“Before purchasing any technology intended to produce alerts destined for the work queue, we should ensure that it allows us to hone in on the activity we want to identify (the true positives/the signal), while minimizing the activity we do not want to identify (the false positives/the noise). As always, these technologies are tools that need to be properly leveraged as part of the larger people, process, and technology picture,” Goldfarb explained.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet