Dive Brief:
- More than one-third of IT security managers and security analysts ignore threat alerts when the queue is full, according to a survey from IDC, in partnership with FireEye. The survey had 300 respondents in U.S.-based companies working in security operations centers (SOCs), and 50 managed security service providers (MSSPs).
- MSSPs are experiencing higher rates of false positive alerts, receiving them 53% of the time, compared to 45% in SOCs. The inundation of false positives contribute to alert fatigue, according to the report.
- One-quarter of analysts worry "a lot" about missing alerts and 6% of managers lose sleep over it. MSSPs offset alert overload by rewriting policies and dismissing certain alerts, yet don't hire more analysts to offset the volume of alerts. More SOCs alter policies to reduce alerts than MSSPs, but more SOCs ignore alerts than MSSPs.
Dive Insight:
Even paired with technology, security analysts can miss alerts. And one missed alert can lead to the next major breach.
"These SOCs are overloaded," said Chris Triolo, VP at FireEye. The respondents of the study are "what we refer to as the ground truth."
For more than half of SOCs, the return on investment worsened during the pandemic, according to a Ponemon Institute survey. Analyst turnover rates are increasing partly due to the SOCs' growing complexity. An average of three analysts either resign or are terminated in a one year time period, according to Ponemon Institute.
"When you set up how your operation works, you want to try to rotate the SOC analyst off the console, as often as you can" to avoid fatigue, said Triolo. Otherwise "you're just staring at the screen and you really stop paying attention, quite frankly."
The analyst monitoring alerts are typically junior-level and could be their introduction to working in a SOC as an information security analyst. The junior-level analysts receive training and are essentially told "don't blow it," said Triolo. Burn out will almost certainly occur "if we're not giving them tools that they need, and we're not setting them up to win but rather setting them up to fail."
Technology is the only solution for supporting analysts, said Triolo. Analysts make the call to decode low, medium and high alert criticality, and depending on their calculation, they ignore some. With an ever-increasing number of alerts, identifying alerts to ignore is an impossible mission without scalable technology.
Two in five analysts use a combination of AI and ML technologies alongside security orchestration automation and response (SOAR) tools and security information and event management (SIEM) software, according to IDC.
"People need SIEM in order to centralize and aggregate all of their logs, security [and] security alerts. And that is kind of the primary one of the primary purposes of the SIEM itself," said Triolo. "Not as many folks have deployed SOAR. And when they do, or if they have, they haven't deployed very well."
The top tools are near evenly split between AI/ML, SOAR, SIEM, threat hunting and scripting. And the ideal tools for investigating alerts is a blend of all of them. "It's like a dance between all the different tools to use," said Triolo. With the exception of SIEM serving as the foundation for the rest of the tools, they serve equal importance.