This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Threat Overload: IT Feels the Security Burnout
With the number of security attacks that enterprises are facing, it’s no wonder why some IT security professionals are feeling burnt out. In addition to an overall increase in attacks, dealing with security alerts require lengthy investigations. This is further compounded by the advent of the GDPR in Europe and CCPA in California, which imposes substantial fines on enterprises that don’t abide by security and privacy regulations.
In a report titled “The Impact of Security Alert Overload,” Critical Start spells out just how bad the situation is. The report was developed from surveying 50 security operations centers (SOC) in Q2 2019. The report concludes that “SOC analysts continue to face an overwhelming number of alerts each day.” The report also found that it’s taking longer to investigate and resolve security issues raised by alerts.
Security Analyst Impact
False-positives that consume resources and produce no results still bog down many SOC analysts, according to the report. Analysts are then forced to try and reduce the time to investigate the alerts, which can produce a high-stress work environment that exacerbates the analyst churn. The SOC analyst turnover reported in the last 12 months by the SOCs found:
- 20% of the SOCs lost less than 10% of staff
- 45% lost 10-25% of staff
- 29% lost 25-50% of staff
- 6% lost more than 50% of staff
Another part of the report covered the number of alerts handled by an individual each day:
- 30% handled less than 10 alerts/day
- 35% handled 10-20 alerts/day
- 14% handled 20-40 alerts/day
- 14% handled 40-50 alerts/day
- 7% handled 50 or more alerts/day
What SOCs Experience
The Critical Start report also provided other insights about what SOC personnel experience:
- Of survey respondents, 79% need to investigate 10+ security alerts each day, which is an increase from the last year’s report, when 45% reported investigating more than 10 each day.
- The time to investigate an alert average 10+ minutes for 74% of respondents, which is an increase from 64% reported last year.
- False-positive alerts continue to be a problem with nearly half reporting a false-positive rate of 50% or higher.
- When there are too many alerts to process, 38% either turn off high-volume alerting features or hire more analysts.
- Despite mobile communications, email is still the dominant means for customer communications at 73%.
Mitigating the Alert Burden
There are choices available to the enterprise for dealing with the security alert issue. Enterprises can:
- Learn to live with the problem and hope analyst turnover doesn’t increase – a bad idea since this is based on hope, not action.
- Train and certify some of the existing non-security internal staff that knows your environment best as new security analysts.
- Hire more security analyst staff. This will be difficult since there is a glut of open positions and a dearth of possible candidates.
- Increase the security tool budget and acquire better tools that employ AI to reduce the false-positive alert burden.
- Offload part or all the alert response function to a managed security service provider (MSSP). This passes the problem to a third party who will also be faced with acquiring the security tools and analysts instead of the enterprise. You may find that the MSSP is already fully obligated and may not have the resources to support your enterprise. An issue with MSSPs is transparency. The report found that 57% of respondents report that MSSPs offer customers “limited to no view into the investigations or underlying data.”
IT infrastructures have become more complex and diverse with cloud services entering the picture. The increase in sophisticated threats combined with the tight labor market for cybersecurity experts requires more sophisticated tools to augment the inadequate number of security analysts. This leads to higher investment in security tools to compensate for the analyst drought as well as more advanced training, both of which increase the IT budget.