By Gary Audin
More and more businesses are implementing security software and establishing a security operations center (SOC). Handling all the security alerts on top of the everyday efforts to secure the business leads to security overload which
leads to security staff turnover. The business IT security staff is limited because there are not enough qualified people to fill theopen security positions. The security alert investigation times are expanding placing a greater burden on security analysts.
Business Security Alert Overload
The research report “The Impact of Security Alert Overload” by Critical Start spells out their discoveries. The report was developed from surveying 50 Security Operations Centers (SOC). The conclusion of the report is that “SOC analysts continue to face an overwhelming number of alerts each day.” The report also found that it is taking longer to investigate and resolve the security issues raised by the alerts.
Security Staff Turnover
SOC analysts can be buried in alerts, many of which are false-positives and that consume resources producing no results. The analysts are forced to try and reduce the time to investigate the alerts. This produces a high-stress work environment that exacerbates the analyst churn. The SOC analyst turnover reported in the last 12 months of the report by the SOCs found:
- Twenty percent of the SOCs lost less than 10% of staff
- Forty five percent lost 10 to 25% of staff
- Twenty nine percent lost 25 to 50% of staff
- Six percent lost more than 50% of staff
Another part of the report covered the number of alerts handled by an individual each day:
- Thirty percent handled less than 10 alerts/day
- Thirty five percent handled 10 to 20 alerts/day
- Fourteen percent handled 20 to 40 alerts/day
- Fourteen percent handled 40 to 50 alerts/day
- Seven per cent handled 50 or more alerts/day
The Critical Start report also provided other insights about what SOC personnel experience:
- The survey respondents, 79%, need to investigate 10+ security alerts each day, which is an increase from the last year’s report when 45% reported investigating more than 10 each day.
- The time to investigate an alert averages 10+ minutes for 74% of respondents which is an increase from 64% reported last year.
- False positive alerts continue to be a problem with nearly half reporting a false-positive rate of 50% or higher.
- When there are too many alerts to process, 38% either turn off high-volume alerting features or hire more analysts, a significant increase from last year. This is not security management.
Opportunity for the MSP to be an MSSP
There are choices available to the enterprise for dealing with the security alert issue. Businesses can:
- Learn to live with the problem and hope the analyst turnover does not increase.
- Train and certify some of the existing non security internal staff as new security analysts.
- Hire more security analyst staff.
- Increase the security tool budget and acquire better tools that employ AI. Not always affordable by the business.
- Off load part or all the alert response function to a managed security service provider (MSSP) who has the staff and resources available to provide wider coverage and 24 hour support.