70% of organizations struggle to keep up with the volume of security alerts
According to a new ESG study, ‘SOC Modernization and the Role of XDR’ commissioned by Kaspersky, almost three-in-four (70%) respondent organizations struggle to keep up with the volume of alerts generated by security analytics tools. This results in a lack of resources for important strategic tasks and leads organizations towards process automation and outsourcing.
The problem with effectively managing emergency tasks through a security operations center (SOC) remains: according to the ‘2020 state of SecOps and automation’ survey by Dimensional Research, 83% of cybersecurity staff experience alert fatigue.
As well as the volume of alerts, their wide variety is another problem for 67% of organizations, according to the study conducted by ESG. This makes it difficult for a SOC analyst to focus on the more complex and important tasks. In every third company (34%), cybersecurity teams overloaded with alerts and emergency security issues don’t have enough time to spend on strategy and process improvements.
The ESG study also found that organizations don’t relate the problem to a lack of staff – with 83% believing their SOC have enough people to effectively protect a company of their size – but think it is due to the need to automate processes and use external services. The primary reason for using managed services is to allow personnel more time to focus on more strategic initiatives, rather than spending time on security operations tasks (55%).
“SOC analysts put out fires rather than proactively looking for complex and evasive threats in the infrastructure. Reducing the number of alerts, automating their consolidation and correlation into incident chains and cutting the overall response time should become the primary tasks for organizations to improve the effectiveness of their SOC. To achieve this, relevant automation solutions and external expert services can help”, comments Yuliya Andreeva, Senior Product Manager at Kaspersky.
To streamline the work of a SOC and avoid alert fatigue, Kaspersky suggests enterprises check the following advice:
Organize work shifts in your SOC to avoid overworking staff and ensure all key tasks are distributed across people: monitoring, investigation, IT architecture and engineering, administration and overall SOC management.
Overwhelming staff with routine tasks may lead to burnout in SOC analysts. Some practices, such as internal transfer and rotation, can help manage this.
Use proven threat intelligence service that enables the integration of machine-readable intelligence into your existing security controls, such as a SIEM system, to automate the initial triage process and generate enough context to decide if the alert should be investigated immediately.
To help free-up your SOC from routine alert triage tasks, use proven managed detection and response service, such as Kaspersky Managed Detection and Response. The service combines AI-based detection technologies with extensive expertise in threat hunting and incident response from professional units including Kaspersky Global Research & Analysis Team (GReAT).