With so many resources at play in a modern organization, adversaries have their pick of exploitation targets when attacking a business. Multiply that wide range of attack vectors by the number of cyberattacks carried out daily, and the result is a multitude of potential indicators of compromise (IOCs).
Because of this, many security professionals suffer from “alert fatigue,” growing numb to the sheer amounts of information bombarding them daily. In the 2023 State of Enterprise DFIR Security, nearly 300 enterprise incident response professionals surveyed claimed alert fatigue was the main source of their burnout. Imagine how many teams with strapped security budgets/headcount feel that strain.
At Todyl, our Managed eXtended Detection and Response (MXDR) and Detection Engineering teams know a few things about reducing noise and fatigue in security operations.
Here are a few of the best practices we’ve developed while reducing noise and alert fatigue in security ops.
For MXDR, responding quickly and effectively to potential security threats is paramount. Therefore, it’s imperative that we operate as efficiently as possible to provide the best 24x7 security experience for our partners.
So, when it comes to removing noise from the equation, it all starts with the Todyl platform. Combining EDR, NGAV, SASE, SIEM, and more, Todyl is built to detect potential threats across the entire IT ecosystem.
Reducing noise begins with those detections themselves. Our Detection Engineering team has built thousands of rules to detect indicators of threats to endpoints, networks, infrastructure, etc.
Rules are based on threat hunting, both performed by the Todyl team and external threat hunters. We also leverage YARA rules as a basis for known threats and have gone so far as to reverse-engineer emerging threats to stay ahead of threat actors. Detection Engineering determines the viability of new rules and maintains current ones to ensure that they remain pertinent.
Key takeaway: Don’t let your detection rules become stale. Create and test new rules to keep your organization protected from rising threats. Review your detection rules routinely to weed out any unnecessary ones and tune out nominal behavior.
With a library of detection rules in place, MXDR begins leveraging them in the wild. All alerts are pooled within the Todyl managed cloud SIEM. Not only is this how Todyl users can see and act on their alerts, but it’s also the main control panel for MXDR.
MXDR examines alerts by default to identify malicious activities but is especially prudent when it comes to new rules. When a new rule goes into effect, MXDR monitors how and when it alerts. Todyl has an industry-leading false positive rate, a substantial portion of which can be attributed to the efforts of MXDR’s constant tuning. MXDR identifies and analyzes how rules are triggered and responds to ones that indicate potential threats. If an alert appears to be a false positive or otherwise benign, MXDR works with Detection Engineering to filter, tune, and/or remove the rule as necessary to streamline.
Key takeaway: Take the time to see how your detections work in the wild. Although well-intentioned initially, you cannot know how detection rules will perform until they’ve been put through their paces. Don’t be afraid to revisit rules and revise them as necessary to avoid creating unnecessary alerts.
The work doesn’t stop there. We communicate with our partners continuously to ensure our detection rules are as effective as possible. If a partner flags a rule as a potential false positive, MXDR investigates it as well. Depending on the circumstance, MXDR will tune the rule to get it working for the partner or request a new custom rule entirely to accommodate.
This way, we ensure that the Todyl platform works optimally in any situation, unique or otherwise. By collaborating with the individuals who use detection rules daily, we actively reduce noise that may distract from real issues.
Key takeaway: Don’t rest on your laurels. Continuous optimization of detection rules keeps them relevant and helps reduce the fatigue created by false positives. Work with your vendors to make your product work best for you, and if they can’t accommodate you, find a new solution.
We hope you can leverage some of these tips to streamline your detections, reduce noise, and eliminate alert fatigue from your operations. Alternatively, you can rely on Todyl MXDR to remove alert fatigue altogether by relying on our expertise to help manage your security posture.
Learn more about what MXDR provides; read about our process in this blog.
