The Security Tool that Cried Wolf: When Alert Fatigue Becomes Alert Indifference

Rueben Medina

Head of Security

You’ve likely seen the headlines about 3CX suffering a supply chain attack. What you might have not seen is that 3CX was aware of alerts identifying their app as malicious seven days prior to taking any action. You can see the entire situation play out on their community forums in this thread, but here is a quick summary:

• 3CX was alerted by multiple customers that their endpoint security software was identifying the 3CX desktop app as malicious.
• 3CX staff responded by incorrectly assuming that these alerts were false positives.
• When customers asked for 3CX to contact security vendors to better understand why their app was being flagged as malicious, 3CX staff was dismissive and told customers they should contact the security vendors themselves.

3CX had the opportunity to respond to this supply chain attack seven days earlier than they did, a lifetime in incident response. But alert fatigue among 3CX and their customers led to a major danger: alert indifference.

alert indifference is a phenomenon where individuals or organizations, due to alert fatigue, become desensitized to security alerts and fail to take appropriate actions in response to potential security threats.

Alert indifference is best explained using a classic fable, The Boy Who Cried Wolf. In this fable a young shepherd boy repeatedly raises false alarms of a wolf attack, causing the villagers to ignore his cries when a real wolf shows up and devours the village's sheep. The false alarms the boy raised caused alert fatigue amongst the villagers who, eventually, developed alert indifference and failed to react when a real threat occurred.

Much like the fable, alert indifference is a phenomenon where individuals or organizations, due to alert fatigue, become desensitized to security alerts and fail to take appropriate actions in response to potential security threats. This can cause delayed or inadequate responses, which can result in data breaches, financial losses, and reputational damage.

Be wary of security solutions that claim to work “out of the box”. Every organization is different and no security tool can cover the unique complexities of them all without modification.

So, how can organizations address this issue? How can you keep your security tool from crying wolf? First, it is not enough to simply have reliable security tools in place. You must also make sure that these security tools are properly configured and tuned post-deployment to ensure that the alerts generated are useful and accurate. Be wary of security solutions that claim to work “out of the box”. Every organization is different and no security tool can cover the unique complexities of them all without modification.

Additionally, make sure humans are investigating these alerts. While AI and machine learning tools have made giant leaps in their capability to identify threats they still cannot compete with the expertise of a security analyst who has contextual knowledge of the unique systems of their clients. Security teams can fortify their investigation and response by setting up proper procedures for handling alerts, including clearly defined escalation paths and incident response plans. Regular training and simulations can also help security teams improve their response times and accuracy.

While AI and machine learning tools have made giant leaps in their capability to identify threats they still cannot compete with the expertise of a security analyst who has contextual knowledge of the unique systems of their clients

A security tool that cries wolf can be just as dangerous as a real cyber threat if it causes your team to have alert indifference. By implementing reliable security tools, properly tuning them, and making sure real humans are handling alerts, organizations can reduce the risk of alert fatigue as well as alert indifference and ensure that their security teams are always prepared to respond to genuine threats.

Elpha Secure’s unique combination of cyber insurance, endpoint software, and 24/7 Security Operations Center ("SOC") provides a holistic approach to your organization's security. We leverage traditional risk transfer, technology, and human intelligence to cut through the white noise and minimize alert indifference. Stop by our website to learn more about how we can help you through a cyber incident.