Unlike a decade ago, databases have become more complex than before, but so have the means to spot performance issues evolved. For their businesses to remain at par with the ever-changing IT landscapes, most IT professionals have been forced to invest in monitoring tools to help them comb through the system and identify threats. However, a slight problem lies in how these professionals handle database threat alerts.
More than 50% of these professionals end up ignoring the alerts that they get from the tools that they invested in, according to the Dark Reading website. While most professionals get away with this trend, it can be damaging to the IT environment were they to ignore a high priority threat alert. A good example would be the 2013 Target cyber breach which resulted from alert fatigue. Although this behavior can be changed, it requires you to understand what really causes alert fatigue.
So, why are alert fatigues still a threat to performance?
Alerts Might Lack Context
Sometimes the alerts that reach your security team might lack enough context to use in remediating the situation. This means that the IT professional in charge of that part of the database will have to fly blind to resolve these issues. While the time required to resolve the issue of a single alert under these circumstances might be insignificant, it will quickly turn into an inconvenience if multiple similar alerts reach the same person.
This will mean that they will take more time to resolve the issues, and might end up ignoring some of the alerts. A good database activity monitoring tools should offer enough context on the reason behind the alert. It should provide information about the machine that was affected, the time the problem occurred and offer a little insight on how to remedy the situation.
In some cases, no single security solution might provide all the security you need, which makes layering solutions a wise choice. The issue comes in when multiple solutions aren’t integrated enough. When two solutions notice an issue with your database, they will both send alerts which will turn out to be redundant to the security professional in charge of that specific area.
The trick is to fine-tune the tolerance levels of these solutions. You can start by consolidating and correlating the threat data. The best option, however, would be to switch to a more integrated solution that is platform based – this will also help save cost and improve vendor relationships.
Alert Delivery Issues
In some instances, alerts might be delivered to the wrong person in the organization. Seeing that these alerts do not concern them, chances are that they will ignore them. On the other hand, both high and low priority alerts might be sent out at the same time of the day.
For instance, delivering both types of alerts at 2.00am will increase the chances of a DevOps team member ignoring a high priority alert with the mindset that it might be nothing but minor. In both instances, evaluating your alert protocol is vital.
Excessive False Positives
False positives might be inevitable. The monitoring tools that you use might pick up an anomaly that shouldn’t raise any red flags. While a single false positive shouldn’t be too much to deal with, receiving them in high number can be a recipe for danger.
Since humans tend to get inured to redundancy, your team is likely to ignore all alerts with the mindset that they are all false positives. In case there is a high priority true positive alert in this sea of false positives, ignoring it will only lead to trouble. The trick is to fine tune your monitoring tools to reduce the occurrence of false positives.
Investing in the best database monitoring tools will only take you so far. The next step should be to tweak the tools to fit your IT environment. Consider the tips above to make every alert you get from such tools worthwhile.