4. Automate, automate, automate

            Automation is another key principle for achieving agile security operations, and it’s one that Microsoft
            stresses in its alert fatigue mitigation plan. For most large organizations, automation is necessary to even
            begin to alleviate alert fatigue. In a tight labor market, there simply are not enough skilled security experts
            available to tackle a problem of this scale unless manual, repetitive processes are automated. For alert
            fatigue,  automating  things  like  basic  alert  correlation,  checking  alerts  against  watch  lists,  and
            automatically ingesting patches and updates are all activities that should be automated to free up security
            professionals to focus on other activities, such as threat hunting and remediation.



            5. Include compliance as part of your automation efforts

            In heavily regulated industries, many security alerts may directly tie back to your regulatory obligations,
            but even if your business doesn’t need to comply with laws like PCI-DSS or HIPAA, new consumer
            privacy laws, such as the GDPR in Europe and the CCPA in California, add obligations, and thus risks,
            for a large swath of the economy.

            As you seek to automate security tasks, be sure to investigate ways to tie compliance into the process,
            which will streamline the overall process and reduce risks. For instance, Microsoft’s Purview Compliance
            Manager helps organizations integrate compliance with security operations, ensuring that they keep up
            with changing regulatory requirements and shifting risks.



            6. Intelligently prioritize incident response

            Not all alerts are created equal, and even actionable ones don’t all carry the same level of risk. Thus, it’s
            important to prioritize the systems and applications that pose the biggest risks if breached or otherwise
            damaged.

            Prioritizing known attack vectors, actively watching for known high-risk behaviors like privileged access,
            and maintaining an active watch list of known high-risk attackers will significantly cut down response
            times by focusing your team on the most pressing, high-risk threats.

            As you investigate how to reduce alert fatigue, be sure your security provider offers a Configuration
            Management Database (CMDB) to provide real-time visibility into all of your networked assets. Ideally,
            your CMDB should automatically track the changing state of those assets (patches, updates, etc.) and
            correlate them with vulnerability scans and threat hunts.















                                                                                                              28