Advanced Threat Analytics (ATA) published new research that reveals managed security services providers (MSSPs) are wasting enormous resources processing useless security alerts, a problem that impacts staffing, operational business models and security effectiveness. Additionally, the survey found that incident responders often cope with this problem by either reducing the sensitivity of security equipment or ignoring alerts altogether.
ATA polled nearly 50 MSSPs to evaluate the state of incident response within their security operations centers (SOCs). Key findings from the survey include:
- 44% of respondents report a 50% or higher false-positive rate (22% experience a 50-75% false-positive rate while the other half states a rate between 75 and 99%).
- Nearly 45% of respondents investigate 10 or more alerts each day (22% investigate between 10 and 20 alerts each day, 11% investigate 20-40 daily, and 11% investigate 50 or more).
- 64% state that, on average, it takes 10 minutes or more to investigate each alert (33% say it takes between 10 and 20 minutes to investigate each alert, 20% say it takes between 20 and 30 minutes, and 11% state it takes 30 minutes or more).
"This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours – in some cases, more than five – each day investigating them, many of which turn out to be false-positives," said Alin Srivastava, president, ATA. "Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents."
Alert Overload Dictates Business Models
Staff inefficiency isn't the only outcome associated with alert overload. It's also forcing SOCs to compromise in other critical areas as well. When asked what they do if their SOC has too many alerts for analysts to process, respondents say they: tune specific alerting features or thresholds to reduce alert volume (67%); ignore certain categories of alerts (38%); turn off high-volume alerting features (27%); and hire more analysts (24%).
"Many MSSPs are expanding their teams in an effort to keep up with alert volume, which isn't a sustainable model, while others change operational processes, like turning off security features or ignoring certain alerts, which greatly increases the risk that legitimate security events will go undetected," continued Srivastava. "The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated, rather than in traditional SIEM and incident orchestration solutions, which only reduce the time it takes to investigate each one."
Do Your Job
When survey respondents were asked what they feel is the main responsibility of their job, 70% say analyzing and remediating security threats; 20% say limiting the number of alerts sent to clients for review; 5% say investigating as many alerts as possible; and the remaining 5% say reducing the time it takes to investigate a security alert.
Srivastava commented: "When analysts are no longer bogged down in an unmanageable number of alerts, they can focus on what they were hired to do – mitigate risk by identifying true threats and responding quickly. And when security teams are operating at peak efficiency, MSSPs can keep personnel and SOC costs down. The net result is that MSSPs can reduce the alert-overload problem and take a more efficient, effective and strategic approach to security operations – and that's a huge win for employees, the business and their clients."