Illusive Blog September 13, 2019

Security Operations Center Analysts Busy With False Alerts

By Kirby Wadsworth

Illusive’s great partner, CriticalStart, has just produced a troubling report showing SOC Analysts are increasingly facing burnout due to an overload of alerts. The number of alerts per analyst is growing. The time required to investigate alerts is growing. The frustration of chasing false alerts is demoralizing and demotivating.

Employee burnout is a serious issue on both a human and business front. A recent Gallup study found that about two-thirds of full-time workers experience job related burnout. The organization cost is high as burned out workers are less productive, less healthy, and less satisfied with their jobs.

According to the Harvard Business Review psychological and physical problems of burned out employees cost an estimated $125 billion to $190 billion in healthcare spending, and drive lower productivity, higher turnover, and loss of talent.

Given the already severe shortage of security experts, burnout caused by alert overload hitting the SOC is rapidly becoming an industry crisis. Nearly half of the respondents reported an unsustainable SOC analyst turnover rate of up to 25%.

And, here’s the punch line. According to CriticalStart’s survey, the rising alert volume is 50% or higher false positives. That’s right, we are burning out our scarcest security resources chasing shadows—a complete waste of time.

So what are we doing to address the crisis?

Over half the respondents said their primary approach was to tune specific alerting features — essentially turning up the squelch dial — 39% say they ignore certain alerts, some shut off noisy tools, and others try to hire more analysts to keep up.

This recalls Henry Ford’s famous if erroneous quote, “If I had asked people what they wanted, they would have said faster horses.”

Silencing alerts, hiring more analysts, or pushing ourselves to analyze more alerts per day is the equivalent of whipping horses to make them run faster. We need a new approach to threat detection. One that creates only high-fidelity alerts—and damn few of them.

Deception technology does exactly this. Alerts generated by a properly configured,  high-quality deception platform, like Illusive Networks, are solely the result of malevolent actors doing something they have no right to do – unauthorized access of information, using stolen credentials, attempting lateral movement, and more. These alerts are not the result of an estimate, a likelihood, a possibility, or a normal action being misinterpreted. Setting off a deception alert requires specific intent and specific action.

For SOC analysts, an alert from a tripped deception means GAME ON!

We also need to provide our SOC analysts with tools to quickly locate and mitigate real attacks, preferably in real time before serious damage is done—providing them detailed, actionable information so they can spend their time on analysis rather than searching for information.

Ensuring only efficient, accurate, early, and noiseless threat detection, and richly detailed live forensic data is the vision that created Illusive Networks, and it remains our North Star.

Want to learn more? View our on-demand webcast, Save the SOC – How to Increase Investigation Speed, Efficiency and Accuracy.