A SOC Under Siege: Alert Overload and Cyber Skills Shortage
One of the key issues in cybersecurity today is the skills shortage – there simply are not enough cybersecurity professionals to go around in the everyday battle against cybercriminals, nation-states and hacktivists. According to the latest ESG research, 51% of responding organizations claim to have a problematic shortage of cybersecurity skills – this problem has steadily increased from the 23% back in 2014.
Recruiting, training and retaining qualified SOC analysts is a real issue. On top of that, Security Operation Centers (SOCs) are drowning in the sheer volume of alerts that require their attention.
- When security teams were queried about contending with threat alerts, more than three-fourths (79%) said they were overwhelmed by the volume. (“A Day in the Life of a Cyber Security Professional”, Enterprise Management Associates, April 2017).
- A recent survey conducted by the Cloud Security Alliance highlights the high volume of alerts that organizations must address - noting that 2.7 billion events were generated by the average enterprise using cloud services. Of these events, 2,542 on average were anomalous of which 23 were actual threats. The survey also noted that 32% of the respondents ignored alerts due to the large number of false positives.
- “Too many alerts” was among the top three security operations challenges (behind the top challenge by 1%) identified in a recent survey conducted by C.A. Walker Research Solutions, Inc. in November 2017
As organizations add more layers to their defensive strategy, more tools produce more data and alerts that must be correlated. Think of it like this - you’re at a loud restaurant and trying to focus on the conversation at your table, but there is lots of distracting outside noise all around you. It’s hard to focus and not miss something right in front of you.
Let’s take a high-level view of a typical SOC workflow for addressing an alert:
- SOC team receives an alert from a SIEM, some other security device or email. A ticket is created and assigned to a Tier 1 Analyst
- A Tier 1 Analyst must examine and assess the alert for urgency and triage. From there, that source data must be reviewed and then a determination must be made to either close the ticket or escalate to Tier 2 analyst for further analysis.
- The Tier 2 Analyst typically relies upon multiple tools and threat intelligence sources to make an assessment of the threat, pulling together and correlating the alert with information from endpoints, network devices, historical logs. Based on the findings, the analyst must make a risk-based decision to elevate the ticket to an incident, which then goes to the IR team.
Typically all of the above is a manual effort. It requires multiple steps, correlating lots of data from different sources and ultimately lots of time and effort to filter out the false positives, instead of focusing on only the alerts that matter.
In the State of the SOC study that we commissioned, 83% of respondents had less than half of their alerts triaged!
The reason that not all alerts are triaged is because of a lack of automation. Analysts have to manually triage most of the alerts – and the math starts to look pretty ugly.
The 6% of the companies that responded with “75% or higher alerts are triaged daily” include companies that utilize both commercial and home-grown automation tools extensively. Only one of those companies was able to push its alert triage rate to 90%+.
Clearly, automation is a critical goal for enabling the SOC to more effectively do its job. Automation can help ensure a higher triage rate of alerts, which means less critical issues fall through the cracks.
In the next related blog we’ll examine how to reduce alert fatigue through automation.