Faced with a false alarm rate of nearly 50%, security analysts are suffering from anxiety and insomnia. Only automation is the “sleeping medicine.”
IDC’s latest report surveyed 350 insiders, MSSP security analysts, and managers. The results showed that due to widespread “alert fatigue” that caused alarms to be ignored, and concerns about underreporting (missing security incidents), security analysts are under constant pressure Increase, while productivity is declining.
Chris Triolo, FireEye’s vice president of customer success, said: “The large number of false alarms from different solutions has overwhelmed security analysts and increasingly worried that they might miss real threats.”
“In order to solve these challenges, analysts require the use of advanced automated tools, such as extended detection and response, to help alleviate concerns about missing events, while enhancing the cyber security capabilities of their SOC.”
High false alarm rate exacerbates alarm fatigue
Up to 45% of security alarms are falsely reported, and 35% of responders choose to ignore the alarm when the queue is crowded! (The following figure)
False alarms can cause “alert fatigue”: Although analysts and IT security managers receive thousands of alarms every day, interviewees said that 45% of them are false alarms, leading to the efficiency of internal analysts. Decrease, the workflow process slows down. To manage the alarm overload in the SOC, 35% of the people in this group said they chose to ignore the alarm.
MSSP security hosting service providers spend more time filtering false positives, but ignore more alerts: MSSP analysts said that 53% of the alerts they received were false positives. At the same time, 44% of the analysts of hosting service providers said that when the queue is too full, they will ignore the alert, which may lead to violations involving multiple customers.
Most security analysts and managers worry about underreporting incidents (FOMI)
As analysts face more challenges in manually managing alerts, they are more and more concerned about underreporting: three-quarters of analysts are worried about underreporting, and one-quarter are “very” worried. Underreporting incidents.
However, FOMI caused more pain to safety managers than analysts: more than 6% of safety managers said that they were worried about missing events and causing insomnia.
Analysts need automated SOC solutions to counter FOMI
Currently, less than half of enterprise security teams use tools to automate SOC activities. The specific statistical results are as follows:
Artificial intelligence and machine learning technology (43%)
Security Process Automation and Response (SOAR) tools (46%)
Security Information and Event Management (SIEM) software (45%)
Threat hunting (45%) and other security features.
also,Only two-fifths of analysts use artificial intelligence and machine learning technologies with other security tools.
In order to manage SOC, security teams need advanced automation solutions to reduce alert fatigue and increase success rates by focusing on higher-skilled tasks (such as threat hunting and network investigations): when ranking the most easily automated security tasks, Threat detection received the highest number of votes (18% of analysts’ wish lists), followed by threat intelligence (13%) and event classification (9%).
The focus of SOC automation should not be SIEM
The center of gravity of the Security Operations Center (SOC) used to be SIEM. But now, this situation is changing as the task of the SOC shifts to a detection and response organization.
SIEM has existed for decades and aims to replace manual log correlation to identify suspicious network activity by regulating alerts between multiple technology vendors. SIEM was never designed to handle complete threat intelligence management use cases, nor was it able to integrate with modern security tools and technologies such as Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Cloud Detection and Response to handle a large number of data.
The detection and response functions of the new generation of SOC will not be isolated in a single tool, but will be extended to the entire ecosystem. What is needed is a platform that can integrate with multiple different internal and external threat and event data sources (including data sources from SIEM), and support two-way integration with the sensor grid. A platform with this function is the key to accelerating safe operations and enabling modern SOCs to complete their tasks.