Vectra AI’s State of Threat Detection Research Report 2023 also provides insight into the “spiral of more”: more attacks, more alerts, more work. A phenomenon that hampers the work of the SOCs. Today, security operation teams (SecOps) are in charge of protecting organizations from increasingly sophisticated and fast-paced cyberattacks. However, the complexity of the people, processes and technology at their disposal is making it increasingly difficult to mount an effective cyber defense.
The ever-expanding attack surface, coupled with evolving attack methods and increasing workload for SOC analysts, results in a vicious “more” spiral, preventing security teams from effectively protecting the own organization. Based on a survey of 2,000 SecOps analysts, the report explains why the current approach to security operations is no longer sustainable.
Defend the organization
Manual triage of security alerts costa to organizations $3.3 billion a year in the United States alone. Security analysts have the daunting task of detecting, investigating, and responding to threats as quickly and efficiently as possible, while being challenged by an expanding attack surface and thousands of daily security alerts.
Some considerations
According to 63% of analysts, the size of the attack surface has increased in the last three years; on average, SOC teams receive 4,484 alerts per day and spend nearly three hours of their day manually managing alerts; security analysts are unable to handle 67% of alerts received every day. 83% believe alerts are false positives and not worth their time. Vectra AI opinion
While the majority of SOC analysts claim their tools are effective, the combination blind spots and the high volume of false positive alerts prevent companies and their SOC teams from successfully containing IT risk. Without visibility into the entire IT infrastructure, organizations are unable to identify even the most common signs of an attack. Such as, for example, lateral movement, privilege escalation, and cloud attack hijacking.
An overload of alerts
97% of SOC analysts fear missing a major security event because it is “buried” under a flood of alerts. Yet the vast majority believe their tools are overall effective; 41% believe that alert overload is the norm, because vendors are afraid of not reporting an event that could turn out to be important; 38% say security tools are purchased to meet compliance requirements. 47% would like IT team members to consult with them before investing in new products.
Analyst burnout
Despite the growing adoption of AI and automation tools, the security industry still needs significant numbers of workers. This would make it possible to interpret the data, initiate investigations and take corrective measures based on the information received. Faced with alarm overload and repetitive tasks, two-thirds of security analysts are considering or have already decided to quit their jobs. This figure will have a potentially devastating impact on the sector in the long run.
Vectra AI: What hinders the work of SOCs Although 74% of respondents say that their work is up to expectations, 67% are considering leaving or are already leaving their jobs. 34% of analysts who are considering leaving their role or are already leaving say they do not have the necessary tools to ensure the security of their organization. 55% of analysts say they are so busy that they feel like they are doing the work of several people. 52% believe that working in the security industry is not a viable long-term career option.
An approach to update
Kevin Kennedy, Senior Vice President of Products di Vectra AI
As enterprises move to hybrid and multi-cloud environments, security teams are continually faced with more. More attack surface, more attack methods that evade defenses, more alert noise, more complexity and more hybrid attacks.The current approach to threat detection is no longer valid, and our report findings demonstrate that the excess of disparate and isolated tools has created too much background noise in the detection for SOC analysts to successfully manage it. Ending instead with favoring an ideal environment for the entry of the attackers. As an industry, we can’t keep feeding this spiral: it’s time we held security vendors accountable for their signal effectiveness. The more effective the threat signal, the more resilient and cyber-effective the SOC becomes.