Cybersecurity teams all around the world are facing an ever-increasing volume of security alerts. This seriously hinders the accurate assessment and classification of threats, which, in turn, leads to certain resources not being assigned based on the risks posed. This excess of alerts “fatigues” SOC analysts. The 2018 Incident Response Survey by SANS demonstrates this: 74% of professionals recognized that they had responded to at least one false positive over the previous year. A real problem for organizations.

To this, we can add the shortage of cybersecurity professionals, which is around 3 million worldwide. A shortage of this magnitude naturally leads of IT security teams being overwhelmed, and could easily lead to missing the signs of a possible attack. This fact could have major consequences for companies, including undetected security breaches or high staff turnover, among others.

Automation technology and advanced services for increased efficiency_

In this context, what is known in the industry as “security fatigue” starts to set in, described as “weariness or resignation” in the face of necessary protection measures. This is a state the Security Operations Center (SOC) analysts suffer from, and which inhibits them from properly and accurately responding to attacks. Cybersecurity teams have to take on too many tasks, especially heads of IT security: looking out for new threats, protecting the perimeter, getting ahead of attacks, making sure other employees follow action protocols, and so on. Such a high workload means that real threats, such as the constant updating of operating systems to stop exploits that leverage a vulnerability in our network to get in, or the new Living-off-the-Land tactics, are not dealt with effectively. Naturally, this leads to an increase in security risks faced by the company.

Many heads of security ignore security risks at work because they’ve previously led to false positives, which made them waste time on something that wasn’t really a danger. This means they prioritize other tasks or alerts, and this can lead to cyberattacks that can seriously endanger the organization.

María CamposVP of Cytomic

The first step: reducing and filtering alerts_

But, how can we put and end to the danger this kind of fatigue can mean for the company? Firstly, the priority of SOC analysts must be to reduce the amount of alerts that generate false positives, as well as to filter all confirmed attacks (both for known and unknown malware).

Once this has been taken on, the following step is to reduce the efforts in security operations and further automate them. At the very least, aspects such as alert prioritization and triage must be automated, as well as repetitive tasks (report generation or context information gathering, for example).  From there, the further enterprises advance towards automation, the more manual management tasks will be reduced. Mean time to detect and respond will thus be reduced.

There currently exists a wide range of tools to help eliminate alert fatigue and speed up teams’ understanding of events. Thanks to these tools, enterprises can reduce the asymmetric advantage that cyberattackers have over existing endpoint security solutions. Cytomic offers cybersecurity solutions and services that integrate perfectly with each organization’s tools and practices. This way, we can respond to the specific cybersecurity needs of customers in the enterprise segment.

Leave a Reply