The security operations center (SOC) is drowning in cybersecurity alerts.
According to an analyst report by Enterprise Management Associates (EMA), “79% of security teams” feel “overwhelmed by the volume of threat alerts.”
The EMA findings are not isolated as there are several reports that corroborate such findings. Indeed, just as enterprises feel they have too many tools that don’t talk to each other, those same tools seem to fire off more alerts than they have resources to triage.
While the problem is real, it still conjures the questions: What does this alert deluge look like in raw numbers?
To find an answer, we canvased several sources that quantified the number of cyber threat alerts security received daily. The answer is better described as a range.
Here’s what we found:
- Most enterprises see more than 10,000 alerts per day. SC Media reported data stemming from a survey at the 2018 RSA Conference that found, “more than half (55 percent) see in excess of 10,000 such alerts.” However, for some organizations, the problem can be much more significant. According to the survey, “27 percent of enterprise security teams see more than 1 million alerts per day.”
- The volume of alerts is growing. Trade publication Infosecurity Magazine reported, “alerts are on the rise, leaving today’s security teams bombarded with 174,000 per week.” By our math that works out to a just shy of 25,000 per day.
- 60% of banks can see up to 100,000 alerts per day. A 2017 survey of banks by the market research firm Ovum found that 60% of banks face 100,000 or more daily alerts, while another 37% are hit with 200,00 alerts per day. About half of all respondents (47%) say just one in five alerts is related to a unique security event.
- The industry has a long history of alert. In 2014, Dark Reading reported on a study that found, “The average enterprise receives more than 10,000 events a day that may or may not be malware-related, and for some of the biggest enterprises, that number jumps to more than 150,000 per day.”
- Smaller does not mean immune. Citing 2018 data from an IT consulting firm, the trade publication Security Now reported“small to mid-sized businesses are hit with nearly 4,000 cyber-attacks per day.”
Why the Deluge is So Problematic
Some of these alerts present a clear threat, while others do not and that’s a big part of the overall problem. Many alerts are false positives or even trivial true positives – those alerts that are technically true, but irrelevant.
The study by EMA cited above – A Day in the Life of a Cyber Security Pro – places this into a business context and points out it has a real cost to the business is a loss of security efficacy.
According to the report, “on average, analysts were spending 24 and 30 minutes to investigate each incident they received.” Much of this time is spent downgrading alerts incorrectly marked as critical (46%), mis-prioritized (52%) or determined to be a false positive (31%).
In other words, EMA writes, “analysts waste over half of their day looking for problems that are either insignificant or not really problems at all.”
* * *
We believe the answer rests in giving the security analyst the ability to look at an alert in context to quickly determine the ground truth. Matching alerts with network metadata along with workflow will not only help SOCs triage alerts faster but also pivot quickly to defeat threats.
If you’d like to see our product and the capabilities it offers for triaging alerts, contact us for a live demonstration.
If you enjoyed this post, you might also like:
Threat Hunting is Growing Up in the SOC, Study Finds