Most SOCs can only handle seven to eight incident investigations per day, and have little time for threat hunting, according to a Fidelis Cybersecurity report.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- 60% of Security Operations Center analysts can only handle between 7-8 incident investigations per day. — Fidelis Cybersecurity, 2018
- Only 17% of organizations have a dedicated threat hunting team. — Fidelis Cybersecurity, 2018
Excessive alerts, outdated metrics, and limited integration are leading to overworked security operations centers (SOCs) in many organizations, according to a recent report from Fidelis Cybersecurity.
Fidelis worked with 360Velocity and the Jane Bond Project to survey 50 security practitioners from enterprise companies in a number of different industries, including Software as a Service (SaaS), retail, finance, healthcare, and high tech, to determine threat detection trends and practices.
SOCs are overwhelmed by the sheer volume of alerts and investigations that require their attention, the report found. While these alerts continue to grow, the majority of SOC analysts (60%) said they can only handle seven to eight investigations per day. Only 10% said they could realistically handle eight to 10 investigations per day, according to the report.
SEE: Intrusion detection policy (Tech Pro Research)
Alert fatigue syndrome—or the phenomenon of cybersecurity analysts not responding to security alerts because they are flooded with so many—is one of the major bad habits that cybersecurity professionals must break to best protect their organizations. These professionals need to make sure that their systems are programmed to ensure that the most important security alerts get a quick response.
"The study findings are only further proof that with a rising threat landscape, continued constraints on both the availability and bandwidth of well-trained SOC analysts, SOCs are increasingly burdened," Tim Roddy, vice president of cybersecurity product strategy at Fidelis, said in a press release.
A lack of integration of security controls also hampers the speed of investigation and remediation, the report stated: 70% of respondents said that at least half of their security controls were not integrated. Companies that had a high alert triage rate were more likely to have integrated controls, the report found.
Every organization surveyed said they use metrics to measure SOC and incident response effectiveness. However, 80% said that they feel the metrics they are using today are "not effective" or "had room for improvement."
Threat hunting remains an activity that only the largest and most sophisticated organizations have time for, the report found: Only 17% of organizations surveyed had a dedicated threat hunting team.
"Our study uncovered a number of notable findings," Chenxi Wang, founder of the Jane Bond Project, said in the release. "For organizations that want to operate efficient, highly effective security operations, we recommend following best practices such as automating tier 1 and tier 2 analysts tasks, identifying further opportunities to eliminate manual tasks, and standardize processes and procedures for threat detection and response."
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- Cybersecurity report card: Why too many companies are graded 'could do better' (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Improve your cybersecurity strategy: Do these 2 things (ZDNet)
- Why traveling CEOs and coffee shops are your company's greatest security risks (TechRepublic)