CriticalStart, a Plano, Texas-based provider of Managed Detection and Response (MDR) services, has published new research revealing that Security Operations Center (SOC) analysts continue to face an overwhelming number of alerts each day that are taking longer to investigate. A growing number of these SOC analysts have come to believe that their primary job is simply to “reduce the time it takes to investigate alerts,” according to the report, which also states this phenomenon may also be a contributing factor to analyst churn.
The company’s second annual report, entitled “The Impact of Security Alert Overload,” surveyed SOC professionals across enterprises, MSSPs, and MDR providers to evaluate the state of incident response within SOCs from a variety of perspectives, including alert volume and management, business models, customer communications as well as SOC analyst training and turnover.
The survey also found that 70 percent of respondents investigate 10+ alerts each day (up from 45 percent last year) while 78 percent state that it takes 10+ minutes to investigate each alert (up from 64 percent last year). In addition, false-positives remain a struggle, with nearly half of respondents reporting a false-positive rate of 50 percent or higher, almost identical to last year.
With this volume of alerts, 38 percent say their SOC either tries to hire more analysts or turn off high-volume alerting features deemed too noisy, both up significantly from last year. The number of respondents that feel their main job responsibility is to analyze and remediate security threats has dropped dramatically from 70 percent down to 41 percent, as analysts increasingly believe their role is to reduce alert investigation time or the volume of alerts.
Nearly half of respondents say they get 20 or fewer hours of training per year.
“The research reflects what we are seeing in the industry – as SOCs get overwhelmed with alerts, they begin to ignore low to medium priority alerts, turn off or tune out noisy security applications, and try to hire more bodies in a futile attempt to keep up,” said Rob Davis, CEO at CriticalStart. “Combine that stressful work environment with no training and it becomes clear why SOC analyst churn rates are so high, which only results in enterprises being more exposed to risk and security threats.”
The data suggests that the industry needs to take a renewed focus on managing alerts, investigation time, and the volume of false-positives.