Sam Erdheim has two decades of experience across all facets of marketing and product management for enterprise software companies. At Fidelis, Sam leads the marketing strategy and go-to-market activities... Read More
A SOC Under Siege: Alert Overload and Cyber Skills Shortage
One of the key issues in cybersecurity today is the skills shortage – there simply are not enough cybersecurity professionals to go around in the everyday battle against cybercriminals, nation-states and hacktivists. According to the latest ESG research, 51% of responding organizations claim to have a problematic shortage of cybersecurity skills – this problem has steadily increased from the 23% back in 2014.
Recruiting, training and retaining qualified SOC analysts is a real issue. On top of that, Security Operation Centers (SOCs) are drowning in the sheer volume of alerts that require their attention.
As organizations add more layers to their defensive strategy, more tools produce more data and alerts that must be correlated. Think of it like this – you’re at a loud restaurant and trying to focus on the conversation at your table, but there is lots of distracting outside noise all around you. It’s hard to focus and not miss something right in front of you.
Let’s take a high-level view of a typical SOC workflow for addressing an alert:
Typically all of the above is a manual effort. It requires multiple steps, correlating lots of data from different sources and ultimately lots of time and effort to filter out the false positives, instead of focusing on only the alerts that matter.
In the State of the SOC study that we commissioned, 83% of respondents had less than half of their alerts triaged!
The reason that not all alerts are triaged is because of a lack of automation. Analysts have to manually triage most of the alerts – and the math starts to look pretty ugly.
The 6% of the companies that responded with “75% or higher alerts are triaged daily” include companies that utilize both commercial and home-grown automation tools extensively. Only one of those companies was able to push its alert triage rate to 90%+.
Clearly, automation is a critical goal for enabling the SOC to more effectively do its job. Automation can help ensure a higher triage rate of alerts, which means less critical issues fall through the cracks.
In the next related blog we’ll examine how to reduce alert fatigue through automation.