Security analysts in the SOC want automated threat detection so they no longer have to worry about missing out on incidents. The “Voice of the Analysts” survey shows the desire to get a grip on the growing alarm fatigue caused by a flood of false positives.
FireEye, Inc., the intelligence-based security company, presents the IDC newsletter "The Voice of the Analysts: Improving Security Operations Center Processes Through Adapted Technologies" (attached). The underlying survey of 350 internal security analysts and Managed Security Service Providers (MSSP) showed that they are becoming increasingly unproductive. The reason for this is a widespread "alarm fatigue", which leads to ignored alarms, increased stress and the fear of missing out on security incidents. In order to increase job satisfaction and the effectiveness of their Security Operations Center (SOC), the surveyed analysts would like to automate various activities.
Security analysts in the SOC flooded with information
"Security analysts are overwhelmed by a deluge of false positives from disparate solutions and are increasingly concerned that they are missing out on a real threat," said Chris Triolo, vice president of customer success at FireEye. "To meet this challenge, analysts need advanced automation tools like Extended Detection and Response (XDR) that reduce the worry of missing out on incidents and thereby strengthen the SOC."
Increasing alerts put pressure on security analysts, causing them to spend almost half of their time on false positives.
- False alarms lead to "alarm fatigue": Analysts and IT security managers receive thousands of messages every day, 45 percent of which are false positives, according to the respondents. This reduces the efficiency of the internal analysts and slows down the workflow. 35 percent of those surveyed said they ignored alarms in order to cope with the flood of messages in the SOC.
- MSSPs spend even more time spotting false positives and ignoring even more alarms: MSSP analysts said 53 percent of the reports they receive are false positives. Meanwhile, 44 percent of analysts at managed service providers said that they ignore messages when their queue becomes too full, which could lead to a security breach for several customers.
Fear of Missing Incidents (FOMI) affects the majority of security analysts and managers.
- As it becomes more difficult for analysts to manage reports manually, so too does their concern about missing an incident: three in four analysts are worried about missing an incident, and one in four is “very” worried about missing an incident .
- This FOMI plagues security managers even more than their analysts: More than 6 percent of security managers said they sleep poorly out of fear of missing out on incidents.
Analysts need automated SOC solutions to counter the FOMI.
- Less than half of corporate security teams currently use tools to automate the activities of the SOC: the study reveals the preferred tools for security analysts to review alarms. It shows that less than half use artificial intelligence and machine learning (43 percent), security orchestration automation and response (SOAR) tools (46 percent), security information and event management (SIEM) software (45 percent), threats Hunting (45 percent) and other security features. In addition, only two out of five analysts use artificial intelligence and machine learning in conjunction with other tools.
- Advanced automated solutions reduce alert fatigue among security teams and improve the success of the SOC by allowing analysts to focus on more demanding tasks such as threat hunting and cyber investigations: Most analysts want automation of threat detection (18 percent ), followed by threat intelligence (13 percent) and incident triage (9 percent).
IDC newsletter methodology
IDC surveyed 300 US IT security managers and security analysts across industries including finance, healthcare and government, and 50 managed security service providers, about the challenges they face managing their SOCs. The survey was carried out in autumn 2020. This IDC newsletter was previously endorsed by Respond Software, now part of FireEye.
Find out more at FireEye.com
About Trellix Trellix is a global company redefining the future of cybersecurity. The company's open and native Extended Detection and Response (XDR) platform helps organizations facing today's most advanced threats gain confidence that their operations are protected and resilient. Trellix security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to support over 40.000 business and government customers.