This year has proven that no organization is safe from increasingly sophisticated cyberattacks. In just the past few months, we’ve seen the systems of more than 600 global organizations compromised by hackers in the MoveIT attack, and a breach of the Electoral Commission allowing attackers access to over 40 million UK voter records.
As a result, Security Operations Centre (SOC) teams are being relied on even more heavily to safeguard businesses against a relentless tide of cyber threats. But with more identities, more vulnerabilities, and more blind spots creating an ever-expanding attack surface, stopping advanced attacks at speed and scale is becoming unsustainable – and it’s pushing analysts to the brink.
“Spiral of More”
SOC analysts have found themselves on the front lines of an ongoing battle against a perfect storm of cyberthreats. This includes a continuously expanding attack surface, highly evasive and emerging attacker methods, and mounting workloads. Combined, these factors are creating a vicious “spiral of more” that jeopardises their ability to respond quickly to alerts and manage breaches.
Vectra AI research shows almost two-thirds of security analysts say the size of the attack surface has increased in the past three years. This expansion was driven by pandemic-triggered digital and cloud investments. But while this boosted productivity and customer experience, the move to cloud also offered attackers new avenues to target businesses. There is continual demand for in-house analysts to uplevel their cloud knowledge to keep up with their company’s rapid digital advancements. Yet, 61% of analysts admit their skillset and knowledge are inadequate to safeguard their organization’s expanding cloud presence.
The average SOC receives a staggering 4,484 alerts per day.
What's more, current tools fall short in adequately prioritizing security events. Currently, the average SOC receives a staggering 4,484 alerts per day. Analysts spend nearly three hours per day manually triaging alerts – putting further strain on teams already operating at full capacity. And to make matters worse, 83% of these turn out to be false positives, which wastes time and costs businesses huge sums of money. Worryingly, this barrage of alerts not only hinders analyst efficiency, but also acts a smokescreen for attackers to blend in, camouflaged in seemingly ‘normal’ activity. And this is set to continue, with 66% of security professionals admitting that their alert numbers are increasing and 67% already unable to deal with the alerts they receive.
Tools Fall Short
Analysts’ tools are failing, leaving them unable to reduce workload or able to confidently spot the signs of an attack in progress and protect the organization. In fact, 71% of SOC analysts admit that their organization may have already been compromised and they don’t know it yet.
Yet amongst analysts there is a serious disconnect concerning the suitability of their tools, suggesting organizations’ definition of effective threat detection and response is outdated. Despite more attack surface, alerts, and false positives, an overwhelming 90% of SOC analysts are confident in the effectiveness of their security technology for managing threats. This disparity underscores the low expectations of threat detection and response tools, which is exacerbating the occurrence of blind spots and intensifying alert overload.
The cyber battlefield is a maze of blind spots and high-volume false positives, leaving enterprises and their SOC teams on the back foot against highly evasive attackers. Security teams need visibility across the entire IT infrastructure – spanning everything from OT to cloud environments. Without this, analysts simply won’t be able to spot even the most common signs of an attack in progress – such as lateral movement, privilege escalation or cloud account hijacking.
Alert Overload
Over-burdened by alerts, most cybersecurity professionals are grappling with mounting stress, burnout, and frustration at work. An astounding 97% of SOC analysts worry about overlooking a relevant security event because it’s buried under a flood of alerts, with almost half worrying about this daily.
It’s time for organizations to demand signal clarity from their security vendors.
While the cybersecurity industry still struggles with a skills gap of around 3.4 million, more than two-thirds of analysts admit they’re considering leaving or are actively leaving their jobs. Many of the reasons analysts give for considering leaving their jobs can be linked to alert overload driven by poor tooling and manual processes – including spending too much time sifting through poor quality alerts. With fewer analysts available, the more stretched teams will be, causing higher stress levels and workloads for those who remain. Likely prompting even more individuals to switch roles or careers.
Businesses need to take note: AI and automation is critical, but organizations will always need a solid team of humans – expert security analysts - who can reason, think creatively and critically, interpret data and stop attacks.
Fixing Threat Detection
While attackers become increasingly innovative in deploying more technical and sophisticated attacks, defenders are still grappling with alert noise and a surplus of disparate, siloed tools. Often, this means spending hours on triage and risking genuine threats going unnoticed.
Businesses can’t control their growing attack surface, but they can control the “spiral of more” impacting their security teams. To combat these signal and burnout challenges, teams must be able to accurately detect and priorities real attacks. It’s time for organizations to demand signal clarity from their security vendors, which puts them in the strongest possible position to defend themselves against modern threats. The more effective the threat signal, the more cyber resilient and effective the SOC becomes.