New research from Advanced Threat Analytics: Incident responders waste hours each day investigating false-positive alerts; manpower requirements stress MSSP business models
DALLAS (February 12, 2018) – Advanced Threat Analytics (ATA) today published new research that reveals managed security services providers (MSSPs) are wasting enormous resources processing useless security alerts, a problem that impacts staffing, operational business models and security effectiveness. Additionally, the survey found that incident responders often cope with this problem by either reducing the sensitivity of security equipment or ignoring alerts altogether.
ATA polled nearly 50 MSSPs to evaluate the state of incident response within their security operations centers (SOCs). Key findings from the survey include:
- 44 percent of respondents report a 50 percent or higher false-positive rate (22 percent experience a 50-75 percent false-positive rate while the other half states a rate between 75 and 99 percent).
- Nearly 45 percent of respondents investigate 10 or more alerts each day (22 percent investigate between 10 and 20 alerts each day, 11 percent investigate 20-40 daily, and 11 percent investigate 50 or more).
- 64 percent state that, on average, it takes 10 minutes or more to investigate each alert (33 percent say it takes between 10 and 20 minutes to investigate each alert, 20 percent say it takes between 20 and 30 minutes, and 11 percent state it takes 30 minutes or more).
“This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours – in some cases, more than five – each day investigating them, many of which turn out to be false-positives,” said Alin Srivastava, president, ATA. “Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents.”
Alert Overload Dictates Business Models
Staff inefficiency isn’t the only outcome associated with alert overload. It’s also forcing SOCs to compromise in other critical areas as well. When asked what they do if their SOC has too many alerts for analysts to process, respondents say they: tune specific alerting features or thresholds to reduce alert volume (67 percent); ignore certain categories of alerts (38 percent); turn off high-volume alerting features (27 percent); and hire more analysts (24 percent).
“Many MSSPs are expanding their teams in an effort to keep up with alert volume, which isn’t a sustainable model, while others change operational processes, like turning off security features or ignoring certain alerts, which greatly increases the risk that legitimate security events will go undetected,” continued Srivastava. “The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated, rather than in traditional SIEM and incident orchestration solutions, which only reduce the time it takes to investigate each one.”
Do Your Job
When survey respondents were asked what they feel is the main responsibility of their job, 70 percent say analyzing and remediating security threats; 20 percent say limiting the number of alerts sent to clients for review; 5 percent say investigating as many alerts as possible; and the remaining 5 percent say reducing the time it takes to investigate a security alert.
Srivastava commented: “When analysts are no longer bogged down in an unmanageable number of alerts, they can focus on what they were hired to do – mitigate risk by identifying true threats and responding quickly. And when security teams are operating at peak efficiency, MSSPs can keep personnel and SOC costs down. The net result is that MSSPs can reduce the alert-overload problem and take a more efficient, effective and strategic approach to security operations – and that’s a huge win for employees, the business and their clients.”
About Advanced Threat Analytics
Advanced Threat Analytics enables large enterprises and MSSPs to overcome the alert-overload problem. The company’s Alert Classification Platform and Mobile SOC enable a new type of security event orchestration that frees incident responders from alert overload and enables them to effectively analyze and triage alerts anytime and anywhere. More information is available at www.advancedthreatanalytics.com.