Report Finds Excessive Alerts, Outdated Metrics, and Limited Integration Lead to Over-taxed Security Operations Centers
Fidelis Cybersecurity, a leading automated detection and response provider, today released the results of a study examining current trends and practices of threat detection and response in enterprise companies. The study, conducted by 360Velocity and Dr. Chenxi Wang, Founder of the Jane Bond Project, found that excessive alerts, outdated metrics, and limited integration lead to over-taxed security operations centers (SOCs).
The study was conducted over the span of three months, interviewing security practitioners from enterprise companies in a cross-section of industries: Software-as-a-Service (SaaS), retail, financial services, healthcare, consumer services, and high tech. The results reveal how different organizations manage SOCs, incident response and threat hunting tasks.
“The study findings are only further proof that with a rising threat landscape, continued constraints on both the availability and bandwidth of well-trained SOC analysts, SOCs are increasingly burdened,” said Tim Roddy, VP of cybersecurity product strategy. “Organizations need to look at automating common tasks, integrating network visibility with endpoint detection and response, and shifting the focus from identifying signatures and indicators to attacker Techniques, Tactics, and Procedures (TTPs).”
As the threat landscape changes and enterprises move to adopt additional layers of defensive technologies, SOCs are being overwhelmed by the sheer volume of alerts and the number of investigations that require their attention. Furthermore, the study, found that in addition to a capacity issue, SOCs are facing a skills gap/training issue, as many organizations struggled to recruit, train, and retain qualified SOC analysts. Other key findings include:
- SOC analysts are being overwhelmed by alerts: Alerts and incidents are skyrocketing, but most SOC analysts (60 percent) can only handle between 7-8 investigations in a day. Only 10 percent of organizations said they can realistically handle 8-10 investigations in a day.
- Integration is key for SOC automation, efficiency, and effectiveness: Seventy percent of survey respondents said that at least half of their security controls were NOT integrated. Lack of integration impedes not only the speed of investigation, but also the speed of remediation and control. The survey results showed a correlation between the companies that achieved a high alert triaging rate and those that have more integrated security controls.
- Automation is not only becoming increasingly important for SOCs, but mandatory: A big theme in security operations today is automation. Increasing automation can lead to improved efficiency, reduced dwell time, and ultimately, better performance for security operations. Unfortunately, without automation, alert triaging can be a tedious process, which is why 83 percent of the companies had less than 50 percent of the alerts triaged daily.
- SOC and Incident Response metrics are outdated and ineffective: Every organization interviewed uses metrics to measure SOC and Incident Response (IR) effectiveness. However, 80 percent feel that the metrics they are using today are ‘not effective’ or ‘had room for improvement’.
- Threat hunting is an elite operation that exists only in the largest and most sophisticated organizations: Only 17 percent of organizations have a dedicated threat hunting team.
“Our study uncovered a number of notable findings,” said Wang. “For organizations that want to operate efficient, highly effective security operations, we recommend following best practices such as automating tier 1 and tier 2 analysts tasks, identifying further opportunities to eliminate manual tasks, and standardize processes and procedures for threat detection and response.”
To view the full report, visit: https://fidelissecurity.com/resources/state-soc
To hear more commentary and analysis on the survey findings, join the webinar on 4/4 at 11am ET: https://fidelissecurity.com/resource/webinar/soc-automate-detection-response/About Fidelis Cybersecurity
Fidelis Cybersecurity combats the full spectrum of cyber-crime, data theft and espionage. A leading provider of threat detection, hunting and response solutions, Fidelis provides full visibility across hybrid environments, automates threat and data theft detection, empowers threat hunting, and optimizes incident response with context, speed and accuracy. Fidelis is trusted by Global 1000s and Governments as their last line of defense.
The Fidelis Elevate® platform captures rich metadata from across the threat landscape and combines that content to enable real-time and retrospective analysis, giving security teams the platform to effectively hunt for threats in their environment.
For more information go to www.fidelissecurity.com. Fidelis Cybersecurity is a portfolio company of Skyview Capital.