Three out of every four organisation struggles to keep up with security alerts
According to a new ESG study, ‘SOC Modernization and the Role of XDR’ commissioned by Kaspersky, almost three-in-four (70%) respondent organisations struggle to keep up with the volume of alerts generated by security analytics tools. This results in a lack of resources for important strategic tasks and leads organisations towards process automation and outsourcing.
The problem with effectively managing emergency tasks through a security operations center (SOC) remains: according to the ‘2020 state of SecOps and automation’ survey by Dimensional Research, 83% of cybersecurity staff experience alert fatigue.
As well as the volume of alerts, their wide variety is another problem for 67% of organisations, according to the study conducted by ESG. This makes it difficult for a SOC analyst to focus on the more complex and important tasks. In every third company (34%), cybersecurity teams overloaded with alerts and emergency security issues don’t have enough time to spend on strategy and process improvements.
The ESG study also found that organisations don’t relate the problem to a lack of staff – with 83% believing their SOC have enough people to effectively protect a company of their size – but think it is due to the need to automate processes and use external services. The primary reason for using managed services is to allow personnel more time to focus on more strategic initiatives, rather than spending time on security operations tasks (55%).
“SOC analysts put out fires rather than proactively looking for complex and evasive threats in the infrastructure. Reducing the number of alerts, automating their consolidation and correlation into incident chains and cutting the overall response time should become the primary tasks for organisations to improve the effectiveness of their SOC. To achieve this, relevant automation solutions and external expert services can help,” says Yuliya Andreeva, Senior Product Manager at Kaspersky.
To streamline the work of a SOC and avoid alert fatigue, Kaspersky suggests enterprises should organise work shifts in their SOC to avoid overworking staff and ensure all key tasks are distributed across people: monitoring, investigation, IT architecture and engineering, administration and overall SOC management. Overwhelming staff with routine tasks may lead to burnout in SOC analysts. Some practices, such as internal transfer and rotation, can help manage this.
Kaspersky is also urging enterprises to use proven threat intelligence service that enables the integration of machine-readable intelligence into your existing security controls, such as a SIEM system, to automate the initial triage process and generate enough context to decide if the alert should be investigated immediately.
To help free-up their SOC from routine alert triage tasks, enterprises should also use proven managed detection and response service.