Cloud Security and Alert Fatigue

By Fabio Gallego, Fortinet Public Cloud Expert Engineer for Latin America and the Caribbean.

When you hear the phrase «cloud security», what is the first thing that comes to mind?

For a professional who works on protecting cloud workloads, this question already entails dozens of elements such as CSPM, CWPP, EDR, firewalls, IPS, container security, cloud provider security standard, user control, least privilege, auditing, passwords, DLP, ICES, etc.

The main purpose of using these tools is to protect our data and services in different layers -which is necessary because we know that comprehensive security requires different views, approaches, and, therefore, layers of protection-, but the management of the material generated by all these tools is one of the main concerns for IT and security teams.

These tools can produce, for example, an average of 700 alerts per day. This is what we call alert fatigue.

Alerts are critical, but they need to make sense and be relevant, i.e. they need context to guide security teams in the decision-making process.

Imagine you are responsible for your company’s cloud security and you use tools that inform you of vulnerabilities. Today the same critical vulnerability has appeared in 100 of your instances. All 100 have the same vulnerability, which one would you fix first? Tough decision, isn’t it?

But what if you know that, of those 100 instances, 50 are exposed to the Internet? Of those 50 exposed, ten are connected to sensitive data (such as a data bucket with personal customer data) and of those ten, two had contact with a botnet. It’s easier now, isn’t it? In other words, if we have a critical vulnerability exploited like the one in the example, we will know which two pose the most risk or will cause the most damage.

Today it is possible to reduce this complexity derived from alert fatigue. Therefore, it is key to use a security solution that collects these alerts, automatically generates risk scores through machine learning and is integrated with the cloud provider’s native tools. Receiving a report with the context of which resource and what is most at risk will make all the difference in effectively managing your cloud security.