Security analysts are suffering from “alert fatigue,” resulting in ignored alerts, less productivity and fear of missing incidents, otherwise known as FOMI.
FireEye recently partnered with IDC to survey 350 in-house security and managed security service provider (MSSP) analysts for the InfoBrief, “The Voice of the Analysts:Improving Security Operations Center Processes Through Advanced Technologies.” The research further outlines how FOMI and false-positive alerts are plaguing analysts.
We recently spoke with Chris Triolo, VP of Customer Success at Mandiant, about these findings, gaining further insight into the challenges facing SOC analysts and how security managers and organizations can help alleviate this stress through automation.
SIW: Is the increase in false-positive alerts a result of COVID? How does this affect SOC analysts’ productivity in conjunction with the transition to remote work?
Triolo: Even prior to the pandemic, false positives were an ongoing challenge for analysts, and the transition to remote work has only expanded this problem as teams manage their SOCs from home. In fact, we found in our InfoBrief with IDC that 45 percent of security alerts are actually false positives.
The increase in false positives can be explained by new security alerts and monitoring tools as a result of the shift to remote work. The implementation of new endpoint technology is a must for organizations with remote employees, but this technology should go beyond antivirus software. It should also include next-generation software such as endpoint detection and response (EDR) products like CrowdStrike, Carbon Black and even Microsoft. As companies deploy these products for the first time, security teams and MSSPs may experience increased false-positive alerts.
SIW: What does the rise in false-positive alerts, and ignored alerts, say about the industry right now?
Triolo: As mentioned previously, the rise in false positive alerts is an unsolved problem the security industry is still tackling. However, tools like extended detection and response (XDR) software are meant to address this issue and improve alert management. While we found that 43 percent of analysts are using machine learning and AI to investigate alerts, security managers and organizations should prioritize automated threat detection and analysis to ultimately suppress false positives.
Though XDR is a newer service, it has quickly become popular in helping security teams better understand relationships by analyzing data to determine if a potential threat is malicious and whether it can be ignored. This analysis helps reduce the number of false positives, something traditional security tools have not been able to solve due to the over-simplicity of correlation rules.
SIW: Why are security managers more impacted by fear of missing alerts than analysts?
Triolo: The InfoBrief found that three out of four analysts are worried about missing incidents, and rightfully so. However, as security managers have a greater sense of responsibility for their SOCs, their role requires them to take the blame if they miss an incident. Security managers face the potential of costing their company millions of dollars, or worse, ruining an organization’s reputation and being hit with government fines if an incident is missed. Both managers and analysts are in the same fight, but at the end of the day, it is the managers’ responsibility for the quality of work in their SOCs. Unfortunately, it’s impossible to do this well when security teams have to sift through hundreds or thousands of alerts a day – sometimes an hour – with most alerts being false positives.
These false positives fill up the queue, and incidentally, about 35 percent of respondents said they ignore alerts when the queue gets too full, increasing the likelihood of a breach. This lack of visibility is also driving FOMI. With six percent of security managers reportedly losing sleep due to FOMI, this is a real threat that plagues security managers, leading to burnout, stress and depression.
SIW: How can we alleviate this stress for SOC analysts in the enterprise? Do these solutions differ for MSSP analysts?
Triolo: One way to alleviate stress is to recruit more talent, but this is expensive and doesn’t scale. Alert overload is an exponential problem, and companies cannot scale their security teams exponentially. The only way alert overload can be managed is through automation.
By automating detection and response, which includes reviewing events and false-positive alerts, security managers can reallocate resources to spend more time on prevention. This will help reduce risk, achieve systemic immunity from attacks, and prevent employee burnout.
Another way to prevent burnout and improve well-being for the SOC analyst is to try shift rotations. If an analyst is staring at a console for eight hours a day, they can get “console blindness” and become less effective. Additionally, analysts should spend time rotating between roles such as security engineering and their usual SOC role every few months.
MSSP analysts are in a different position since they lack visibility into their customers’ environments. This the primary challenge for MSSPs in managing false positives. Since MSSP analysts don’t have the time and mechanisms in place to understand each customer’s environment, all alerts need to be reviewed for a potential malicious threat.
SIW: For organizations using automated solutions, what challenges of automation should security managers consider?
Triolo: It is always important to have humans involved with any automated solution. These solutions most likely require configuration and tuning since each organization is different. Additionally, many security teams are managing dozens of security products – the average large enterprise has 70 security products. Therefore, there is a technique involved to make sure automation is working effectively for an organization, including selecting the right solutions for your organization and staff.
With anything you automate, you also run the risk of creating a self-imposed denial of service. This is why it is important to always have skilled staff be part of the decision-making process before conducting a response to determine if action is necessary.
Unfortunately, false-positive alerts continue to be a problem in the SOC. By continuing to implement automation to better resource time spent on prevention, the industry can alleviate FOMI and promote well-being.
You can read the full InfoBrief on FireEye's website.
