Breaking News

The security alerts you ignore are the ones that matter

With alert volumes running into the hundreds of thousands, security teams have built habits around what to ignore. And attackers have learned to exploit them.

For years, security operations centers (SOCs) have dealt with sorting through the noise of security alerts by prioritizing vulnerabilities based on severity level.

As the enterprise technology stack became more complex with a growing number of endpoints, cloud infrastructure, and multiple identity systems, it became impractical, if not impossible, for SOCs to address every single alert that got flagged.

As a result, most teams have adopted an approach where they focus their efforts on mitigating the medium- and high-severity alerts and dismissing or deprioritizing those flagged as lower risk.

However, just because a threat is deemed “low risk” doesn’t mean it’s “no risk.” Recent large-scale analysis of enterprise security alerts found that around 1% of all incidents can be traced back to alerts initially categorized as low severity.

For an average enterprise with 450,000 alerts per year, this translates to approximately one real threat slipping by each week. Although the percentage sounds small, it does represent a number of real threats that are being dismissed instead of being addressed by security teams.

These findings challenge the current best practice of prioritizing alerts based on severity level. They raise a critical question for today’s security teams: how can they realistically consider low-severity alerts while managing the high volume of alerts they’re receiving every day?

Real Threats Are Hiding in the Noise

Companies get hundreds of thousands of security alerts every year, and that number can rise to over a million for the largest enterprises. At this scale, security teams might be dealing with thousands of alerts every single day, so it’s no surprise that several recent studies have found that over half of alerts are never even reviewed.

Given this volume, triaging alerts by severity has been a necessity to sort through the noise. Instead, SOCs focus their efforts on the threats that appear most impactful and urgent. This makes sense, of course, as it would be unwise (and potentially dangerous) to ignore a critical alert in favor of a low-risk anomaly that likely will never amount to anything.

However, when these low-severity alerts are ignored, they create the opportunity for real threats to persist undetected.

Attackers Favor Stealth

Threat actors would prefer to sneak in and remain hidden, quietly carrying out their attacks for as long as possible. Instead of launching high-impact attacks that would immediately raise alarm bells, they gain access and try to remain undetected so that they can move laterally throughout a network, escalating privileges and extracting data over time without raising suspicion.

Severity classifications don’t always reflect this reality. Alerts are typically categorized based on a number of factors, including how critical an affected system is, the impact if that system were to go down, known threat actor activity, and how confident the security system is that malicious activity is taking place.

For example, detection of mass file encryption might be categorized as a high-severity alert because it indicates ransomware execution, whereas a suspicious PowerShell command might be low severity because it could just as easily be legitimate activity from an admin. Yet in practice, that PowerShell command could be from an attacker downloading payloads, establishing persistence, or running recon within the environment.

In many cases, major security incidents are the result of a string of multiple low-severity actions that don’t appear malicious individually. This allows the attacker to continue conducting their activities for weeks or even months without being noticed.

Rethinking Alert Triage in the SOC

The challenge for modern SOCs is not only to work faster but to work with more complete information. Treating alerts as isolated events, each evaluated on its own merits and severity score, is a structural limitation that threat actors have learned to exploit.

Low-severity alerts rarely tell a complete story on their own. A login anomaly, a suspicious script execution, a privilege change, each one individually may be inconclusive or entirely benign. But when those signals appear across the same user, system, or time window, they describe something far more concerning. The ability to surface that pattern depends on whether the investigation goes looking for it.

This requires two shifts in how security teams operate. The first is contextual. Alerts need to be analyzed against what else is happening in the environment, not just against the criteria that triggered the original detection. The second is coverage. Teams cannot build a complete behavioral picture if a large portion of signals never get examined at all. When low-severity alerts are systematically skipped, the picture has gaps, and those gaps are where attackers persist.

The practical implication is that alert triage can no longer rely solely on human capacity to determine what gets investigated. The volume problem is real, and severity-based prioritization exists for good reason. But the teams best positioned to catch early-stage threats are those that have found ways to extend consistent investigative coverage across the full alert stream, not just the top tier, and correlate what they find into a coherent view of attacker behavior over time.

The question is no longer whether low-severity alerts deserve attention. The data shows they do. The question is how to build an operation that can actually give it to them.

We feature the best antivirus software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit



from Latest from TechRadar https://bit.ly/3SElOW8

No comments