The massive volume of alerts coming into security operations center (SOC) analysts can easily overwhelm analysts, and the pandemic has compounded the situation. The increase in remote work has expanded an already porous attack surface, assaults from nation-states and criminal gangs is rising, and insider threats are on the upswing. Adding to the perfect storm of cybersecurity risk is the failure of existing security controls that were built to detect anomalies in a world where suddenly nothing is normal.
The current alert volume is composed of 50% or more false positives. That’s according to a recent survey by CriticalStart. Separating falsities from real problems becomes harder as the volume increases.
The SOC: Burnout ahead
SOC analysts are constantly barraged by massive amounts of data and the multiple disparate technologies they maintain. SOC teams must examine and prioritize meaningful alerts that are worthy of further investigation. Compiling a picture of what actually happened can take months, which means more precious time wasted.
Valuable time is wasted as the SOC team searches for the missing context needed to find and prioritize real threats as today’s networks push massive amounts of data throughout their ecosystem. SOCs today are overloaded to the point of unsustainability. Without automated coordination and response, analysts burn out trying to find the real threats in the morass of alerts. Meanwhile, research indicates upwards of 39% of real threats slip past them undetected.
This means the team is working harder and accomplishing less than ever before. No wonder that 60% of SOC team members are considering changing careers or leaving their jobs due to stress, as reported in the second annual Devo SOC Performance Report, based on a survey conducted by Ponemon Institute.
And as if all this weren’t bleak enough, there is also a skills shortage to contend with. There’s a good chance that even if an organization wants to expand its SOC and find the best and brightest people to improve efficiency and accuracy, it won’t be able to. More than 4 million trained professionals are needed to close the existing cybersecurity skills gap, (ISC)2 estimates.
Shutting out the noise
Enterprise leaders must understand that, in order to combat the SOC’s noise problem, they need a combination of human experts, technology, and strategic alignment. The current SOC situation is difficult but not intractable. Organizations need to start by going back to the basics. And that means that before they deploy the next shiny new security solution, they must ensure they have an infrastructure and processes that support their ongoing needs properly.
Instead of just ingesting a lot of data, the SOC needs to transition to the place where it is actually making use of the data. Recent improvements in accessing forensic data can play a key role in allowing analysts to work more effectively and reduce the time spent on eliminating noise. When armed with the contextual data they need to make decisions quickly, analysts can more efficiently process real threats to the environment, including the entry point of an attack, the infecting vector, and misconfigurations or other vulnerabilities. They can then use this information to help create best practices for future alert response efficiency and optimization.
Turning the SOC tide
Gartner predicts that 50% of all SOCs will transform into modern centers with integrated incident response, threat intelligence, and threat hunting capabilities by 2022. That’s up from less than 10% in 2015.
In order for such a scenario to happen at the scale Gartner envisions, senior leadership must align on the organization’s cybersecurity stance and agree on funding and staffing needs. Part of this involves guaranteeing that SOC teams have the access they need to forensic data that increases time to response – so critical in cybersecurity endeavors. That access will create a sea change that favors the network’s defenders. Having the needed data at the right stage of the incident response process, security analysts can quickly cull false and low-priority incidents to focus on the threats that really matter.