Volume of Security Alerts Fatigues Businesses
Seventy percent of enterprises struggle to keep up with the volume of security alerts.
Kaspersky and ESG have collaborated on a new study: ‘SOC Modernization and the Role of XDR’, which concludes that 70% of participating companies confirmed having difficulties when trying to keep up with alerts generated by security analytics tools. This results in a lack of resources on important strategic tasks and drives the company towards a process of automation and process outsourcing.
The problem with task management is in evidence in the “State of SecOps and Automation 2020” study by Dimensional Research, which confirms that 83% of cybersecurity personnel suffer from burnout due to the continuous state of alertness.
According to the ESG study, the wide variety of alerts makes it difficult for the SOC analyst to focus on the most important and complex tasks. However, this problem is not related to a lack of employees, but rather to the need to automate processes and use external services.
Yuliya Andreeva, Senior Product Manager at Kaspersky, comments: “SOC analysts are busy “putting out fires” rather than proactively looking for complex and evasive threats in the infrastructure. Reducing the number of alerts, automating their consolidation and correlation with incident chains and shortening their response time should become the priority tasks to improve SOC effectiveness in organizations. To achieve this, they can rely on automation solutions and external expert services.”
Kaspersky recommends following these tips to avoid SOC work and prevent alert fatigue:
- Organize SOC work shifts to avoid overloading staff and ensure that all key tasks are evenly distributed across the team: monitoring, research, IT architecture and engineering, administration and overall SOC management.
- Overloading staff with routine tasks can lead to attrition of SOC analysts. Practices such as rotations and internal transfers can help avoid this.
- Use threat intelligence services that enable the integration of machine-readable intelligence into your existing security controls, such as a SIEM system, to automate the initial triage process and generate enough context to decide whether the alert should be investigated immediately.
- To help free your SOC from routine triage alert tasks, use programmatic detection and response service, such as Kaspersky Managed Detention and Response. This service combines AI-based detention technologies with extensive threat search and incident response expertise from professional units, including Kaspersky Global Research & Analysis Team (GReAT).