Nearly three-in-four (70%) of organisations battle to keep up with the volume of alerts generated by security analytics tools, which results in a lack of resources for important strategic tasks.
This was revealed by an ESG study: "SOC Modernization and the Role of XDR", commissioned by Kaspersky.
These results were mirrored in the ‘2020 state of SecOps and automation’ survey by Dimensional Research, which claimed that the problem with effectively managing emergency tasks through a security operations centre (SOC) is that 83% of cyber security practitioners experience alert fatigue.
Volume, variety
Over and above the sheer volume, the wide variety of alerts is another issue for 67% of organisations, as this makes it tricky for SOC analysts to focus on the more complex and important tasks.
Also, in every third company (34%), cyber security teams overloaded with alerts and emergency security issues don’t have enough time to spend on strategy and process improvements.
The ESG study also revealed that organisations don’t believe the problem is due to a lack of staff, with 83% believing their SOC has enough people to effectively protect a company of their size, but rather due to the need to automate processes and use external services.
The primary reason (55%) for using managed services is to enable employees more time to focus on more strategic initiatives, rather than spending time on security operations tasks.
Yuliya Andreeva, a senior product manager at Kaspersky, says SOC analysts put out fires rather instead of proactively looking for complex and evasive threats in their infrastructure.
“Reducing the number of alerts, automating their consolidation and correlation into incident chains, and cutting the overall response time should become the primary tasks for organisations to improve the effectiveness of their SOC.”
Avoiding alert fatigue
She says automation solutions and external expert services can help with this.
In addition, to streamline the work of a SOC and avoid alert fatigue, Kaspersky recommends enterprises organise work shifts in their SOC to avoid overworking staff, and ensure all key tasks - monitoring, investigation, IT architecture and engineering, administration, and overall SOC management -are distributed across staff members.
Overwhelming employees with mundane tasks may also lead to burnout in SOC analysts, and practices such as internal transfers and rotations can help manage this.
Finally, the company advises using a proven threat intelligence service that enables the integration of machine-readable intelligence into existing security controls, such as a SIEM system, to automate the initial triage process and generate enough context to decide if the alert should be investigated immediately.
Share