SOC Teams in Permanent Fear

SOC Teams in Permanent Fear

Vectra study shows: Almost all SOC analysts fear missing relevant security events.

Today’s Security Operations (SecOps) teams are tasked with fending off increasingly sophisticated and rapid cyberattacks. But the complexity of the experts, processes and technologies at their disposal makes cyber defence increasingly difficult. The ever-expanding attack surface, combined with the evolving methods of attackers and the increasing workload of SOC analysts, creates a vicious cycle that prevents security teams from effectively protecting their organisations.

4,500 alerts per day

Manually sifting through alerts costs companies $3.3 billion annually in the US alone. Security analysts are tasked with the daunting task of identifying, investigating and responding to threats as quickly and efficiently as possible, while facing a growing attack surface and thousands of daily security alerts. For example, 63 per cent say the size of their attack surface has increased over the past three years. SOC teams receive an average of nearly 4,500 alerts per day and spend nearly three hours per day manually handling alerts. Eighty-three per cent say they are often false alerts that are not worth their time.

Attack signs are often not recognised

Although the majority of SOC analysts say their tools are effective, the combination of blind spots and a high number of false positive alerts is preventing companies and their SOC teams from successfully mitigating cyber risks. Without visibility into the entire IT infrastructure, organisations are not even able to identify the most common signs of an attack, for example, lateral movement, privilege escalation and hijacking using cloud attacks. As a result, almost all SOC analyst respondents (97%) worry about missing a relevant security event because it is buried under a flood of alerts, yet the vast majority consider their tools effective overall. Alarmingly, more than a third say that security tools are bought only to meet compliance requirements.

Two-thirds of analysts are thinking about leaving

Despite the increasing use of AI and automation tools, the security industry still requires a significant number of staff to interpret data, initiate investigations and take remedial action based on the information provided to them. Faced with an overload of alerts and repetitive, mundane tasks, two-thirds of security analysts say they are thinking about leaving their jobs or are already doing so. This is despite three-quarters of respondents saying their position would meet expectations. However, more than half (55%) of analysts say they have so much to do that they feel they are doing the work of several people.

“Excess of disparate, isolated tools”

“As enterprises move to hybrid and multi-cloud environments, security teams are constantly faced with more – more attack surface, more attack methods that evade defence, more noise, more complexity and more hybrid attacks,” says Kevin Kennedy of Vectra AI. “The current approach to threat detection is out of date, and the findings of this report show that the overabundance of disparate, siloed tools has created too much detection noise for SOC analysts to successfully deal with, and instead fosters a noisy environment ideal for attackers to penetrate. As an industry, we must not allow the spiral to continue, and it is time to hold security solution providers accountable for the effectiveness of their signals. The more effective the threat signal, the more resilient and effective the SOC becomes.”

Vectra’s 2023 State of Threat Detection Research Report surveyed 2,000 SOC analysts worldwide.