1. Funnel Everything Through a Master SIEM
Having a center for all kinds of event information greatly simplifies and standardizes the alerting process. Which security information and event management tool fits best is up to an organization. Larger healthcare systems may even stack SIEMs; for example, starting with a large log server doing a first filter before the alerts needing analysis flow to a more intelligent analysis tool. Whatever the solution, make sure that a single engine handles prioritization, reporting and alerting. The alerting function is key for a SIEM because if no one responds to the actionable information, then all the logs and security tools were a waste of time.
2. Establish Priorities and Regularly Verify Them
Alert fatigue happens when alerts appear but no one reads the emails, responds to the messages or looks at the dashboard. No matter how you deliver your alerts, establish a set of clear priorities and ensure that only truly critical alerts are in the highest-priority bin. People will accept a certain level of false positives, but it must be very low. Otherwise, even high-priority alerts will be ignored, and critical problems will go undetected and unsolved. Setting priorities isn’t a one-time deal, either: IT teams must allocate time each quarter to review alerts and ensure they are being prioritized properly.
3. Be Multichannel in the Approach to Security Alerts
Originally, email and old-school pagers were the only ways that alerts were delivered. Now, each IT team member may have a different preference for how they get alerts. Whether alerts are delivered via email, text message, chat app (such as Slack or Teams), a portal or dashboard, or even a flashing siren in the network operations center, picking the right channel avoids missed alerts and fatigue. Match the delivery channel to the needs and work styles of your staff members, and you’ll have the best chance of having critical events managed quickly.
4. Escalate Horizontally and Vertically When Needed
If an alert is missed or a problem goes unsolved or unacknowledged, make sure the issue is escalated to another team member or a manager. Sending an alert and assuming it will be handled invites issues to be dropped. Having double-checks built into the system compensates for inevitable human and technology failures.