Insights

Embracing Contextual Awareness in Security Operations to Combat Alert Fatigue

Written by Oliver Rochford | November 21, 2024
In the world of cybersecurity operations, there seem to be few issues as pervasive and exhausting (pun intended!) as alert fatigue. We wrote about the topic just recently, hot on the heels of an interesting report by VectraAI, and just this past week Anton Chuvakin also posted a really insightful article discussing why the problem not only still persists but has again become acute.

Anton makes the point that security teams are still overwhelmed by managing alerts, many of which fail to deliver actionable insights, or, in his words, "The data barely teaches us anything else.“ Our own experiences over the past year mirror this, with over 99% of pipeline-ingested data in most cases lacking any direct relevance to activity that the SecOps team would find interesting.

As Anton also wrote, it’s not that this problem is without solutions. We’ve developed multiple workarounds over the years. But the workarounds are now failing because of more data, more data types, all from more sources. Our current challenge involves scaling up some of the solutions we've developed in the past and developing new ones to replace those we can't.

So I think that his thoughtful post invites a conversation about how to recalibrate our approach to security data operations; it’s a conversation that resonates deeply with our vision here at Auguria.

The Problem of Noise: Why Alert Fatigue Persists

Our users tell us that the security landscape is more complex than ever, and the traditional methods of data analysis and alert generation simply aren't enough. In addition to managing an astronomical number of alerts, the modern Security Operations Center (SOC) must do so within a limited budget, always mindful of adversaries' increasingly sophisticated strategies. The need for a paradigm shift is urgent—one that turns the challenge of overwhelming data volume into an advantage, rather than a problem to solve, through smarter, AI- and data-science-driven approaches.

Just consider the risky cycle that alert fatigue creates. Most people are familiar with the story of the boy who cried Wolf too many times. Alert fatigue is very similar: as the number of alerts increases, especially false positives and benign alerts, security teams become desensitized, potentially overlooking real threats. Siloed and static solutions, ill-equipped to handle the complexities of the modern digital enterprise and the "hot" threat landscape they face, exacerbate the issue.

We conceived Auguria's Security Knowledge Layer (SKL) specifically to break this cycle. Our approach emphasizes not just volume reduction but meaningful prioritization. We concentrate on the crucial 1% of data, allowing human analysts to concentrate on the most important aspects without becoming overwhelmed by false positives and redundant alerts.

Shifting from Alert Reduction to Context Enrichment

Auguria's SKL, on the other hand, uses AI models encoded with real-life forensics and incident response knowledge.

Anton also highlights the importance of context, suggesting that we "implement enrichment to add context and make alerts more actionable."

The lack of context is a major challenge in security operations and contributes to alert fatigue because:

  • High Volume of Alerts: Security systems generate thousands of alerts daily, many of which are false positives or lack the necessary details to determine their severity. This overwhelms analysts and makes it difficult to focus on true threats.
  • Time-Consuming Investigations: Without actionable context, analysts must spend significant time and effort manually correlating alerts with additional data to understand whether an event is a real threat or a benign anomaly. This delays response times and drains resources.
  • Increased Risk of Missed Threats: When analysts are bombarded with poorly contextualized alerts, they become desensitized and may overlook or ignore alerts that require immediate action. This increases the risk of a genuine threat slipping through unnoticed.
  • Burnout and Efficiency Loss: Constantly triaging alerts with insufficient context leads to analyst fatigue and burnout, reducing overall productivity and leading to a less effective security operation.

This has become the core of our mission at Auguria. Instead of merely deduplicating and filtering out noise, our AI-powered ontology enriches and categorizes events in real time. This is no small feat. Traditional solutions have relied on rules, automation playbooks, or machine-readable threat intelligence, which demand constant updates and rigorous maintenance. Auguria's SKL, on the other hand, uses AI models encoded with real-life forensics and incident response knowledge. This is what makes us so different from most other data pipelines, whose focus is primarily on ETL and data hygiene. Auguria also performs these tasks, but only as a precursor for its primary purpose: to prepare the data for enrichment, prioritization, and subsequent investigation and automation.

The Role of Ontologies in Alert Management

Auguria's SKL leverages a powerful, three-layered ontology framework to label and organize security events based on their relationships and attributes. This ontology-driven approach offers a granular understanding of each event's context, which is crucial for identifying subtle but significant threats. It enables us to automate the most labor-intensive parts of alert management: triage, categorization, and prioritization. We map every event at the vector embedding level to a category with an accompanying explanation, drastically reducing the time it takes for analysts to understand and respond.

Auguria’s three-layered Ontology 

Beyond Filtering: Automating the Right Decisions

A frequent criticism of many AI-driven security solutions is that they lack explainability and still require a human in the loop to further validate outputs. At Auguria, we’ve tried to minimize this limitation by providing human analysts and automation workflows with immediate, high-confidence context and insights. 

In most threat analysis scenarios, analysts rely on a handful of ancillary events to determine whether an alert is likely a false positive or a false negative. Auguria’s AI addresses this by prioritizing alerts and automatically retrieving relevant ancillary events from integrated data sources, labeling these events as normal or abnormal. This ensures each alert is accompanied by the contextual information needed to support the analyst’s decision-making process, removing guesswork and streamlining the entire workflow.

Without Auguria, analysts are left to write and maintain manual rules to prioritize alerts, then respond to each one by searching for and waiting on conviction results. Often, these critical contextual events don’t exist because overwhelmed SIEM systems have purged the crucial evidence needed by the time they are needed. As a result, analysts are frequently left uncertain whether they're dealing with an actual incident, a mitigated detection, or simply a false positive.

Toward a Resilient Cybersecurity Future: Human-AI Synergies

In our view, the future of cybersecurity is one where AI and human expertise coexist symbiotically. Rather than replacing human analysts, we want to augment their capabilities, make things easier, faster, and more succinct, and reduce operational friction. Our platform handles the complex data tasks, freeing up analysts to concentrate on critical, high-risk response. Time is crucial in a crisis, and our human-machine teaming leverages AI to analyze and enrich data at scale, empowering human analysts to respond more effectively.

At Auguria, we believe that the key to solving alert fatigue lies in shifting from reactive, alert-driven models to proactive, insight-driven operations. It’s not just about reducing alerts; it’s about elevating the role of human analysts, empowering them with precise, actionable information to make decisions. 

Anton’s analysis underscores a vital truth: the status quo is not sustainable. We need solutions that effectively encode expert knowledge and are able to learn and adapt without the unsustainable overheads of writing rules and playbooks. Auguria is proud to be at the forefront of this transformation, delivering a security experience that’s not just faster but smarter and more sustainable than anything else before. Instead of allowing noise to overwhelm us, let's focus on identifying the signals that hold true significance.