A company's intrusion detection system (IDS) generates approximately 10,000 alerts daily, but the security team only has capacity to investigate 2% of these alerts. Which approach best addresses this issue?

  1. Tune the IDS to reduce false positives and focus on high-fidelity alerts ✓
  2. Disable the IDS and rely on firewall logs instead
  3. Increase the number of security analysts to handle all alerts
  4. Implement a more sensitive IDS configuration to catch more threats

Correct answer: Tune the IDS to reduce false positives and focus on high-fidelity alerts

Option A is correct because tuning the IDS to reduce false positives improves the signal-to-noise ratio, allowing the security team to focus their limited capacity on alerts that are most likely to represent real threats. This is the standard operational response to alert fatigue and is a core tenet of effective security operations. Option B is wrong because disabling the IDS removes an entire detection layer and relying solely on firewall logs provides far less visibility into threats that have already passed the perimeter. Option C is wrong because hiring enough analysts to cover 10,000 alerts daily is impractical and cost-prohibitive, and does not address the underlying problem of excessive false positives. Option D is wrong because increasing IDS sensitivity would generate even more alerts, compounding the alert fatigue problem rather than alleviating it.

Topic: · alert fatigue, ids tuning, false positives, security operations

Practice CompTIA CySA+ (CS0-003) Questions Free