90% of SOC analysts believe current threat detection tools are effective, although 97% fear missing a relevant security event
Vectra AI, a pioneer in AI-driven cyber threat detection and remediation for hybrid and multicloud enterprises, today announced the results of its 2023 State of Threat Detection Research Report, which provides insights into the so-called “spiral of more” – more attacks, more alerts, more work – that prevents Security Operation Center (SOC) teams from effectively protecting their organizations from cyber attacks.
Today, security operations teams (SecOps) are tasked with protecting organizations from increasingly sophisticated and fast cyber attacks. However, the complexity of the mix of people, processes and technology at their disposal is making it increasingly difficult to mount an effective cyber defense. The ever-expanding attack surface, combined with evolving attack methods and increasing workload for SOC analysts, results in a vicious spiral of “more” that prevents security teams from effectively protecting their organization. Based on a survey of 2,000 SecOps analysts, the report explains why the current approach to security operations is no longer sustainable.
The “spiral of more” threatens the ability of security teams to defend the organization
Manually triaging security alerts costs organizations $3.3 billion per year in the United States alone. Security analysts have the daunting task of detecting, investigating and responding to threats as quickly and efficiently as possible, while being challenged by an expanding attack surface and thousands of daily security alerts. The study found that:
- according to 63% of analysts the size of the attack surface has increased in the last three years;
- on average, SOC teams receive 4,484 alerts per day and spend nearly three hours of their day manually managing alerts;
- Security analysts are unable to handle 67% of alerts received each day, with 83% believing the alerts are false positives and not worth their time.
SOC analysts don't have the tools to do their jobs effectively
While the majority of SOC analysts say their tools are effective, the combination of blind spots and the high volume of false positive alerts prevents companies and their SOC teams from successfully containing cyber risk. Without visibility into their entire IT infrastructure, organizations are unable to identify even the most common signs of an attack, such as lateral movement, privilege escalation and cloud attack hijacking. The study also found that:
- 97% of SOC analysts fear missing a relevant security event because it is "buried" by a flood of alerts, yet the vast majority believe that their tools are effective overall;
- 41% believe that alert overload is the norm, because vendors are afraid of not reporting an event that could prove important;
- 38% say security tools are purchased to meet compliance requirements, and 47% would like IT team members to consult them before investing in new products.
Analyst burnout poses a significant risk to the security industry
Despite the growing adoption of AI and automation tools, the security industry still needs a significant number of workers to interpret data, initiate investigations and take corrective action based on the information received. Faced with the overload of alerts and the execution of repetitive tasks, two-thirds of security analysts are considering or have already decided to leave their jobs, a figure that will have a potentially devastating impact on the sector in the long term. The study further found that:
- despite 74% of those interviewed declaring that their job corresponds to their expectations, 67% are thinking of leaving or are already leaving their job;
- 34% of analysts who are thinking of leaving their role or are already leaving it say they do not have the necessary tools to guarantee the security of their organization;
- 55% of analysts say they are so busy that they feel like they are doing the work of multiple people, and 52% believe that working in the security industry is not a viable long-term career option.
“As businesses move to hybrid and multi-cloud environments, security teams are continually faced with more: more attack surface area, more attack methods that evade defenses, more alert noise, more complexity, and more hybrid attacks,” he explains Kevin Kennedy, Senior Vice President of Products di Vectra AI. "The current approach to threat detection is no longer valid, and our report findings demonstrate that the glut of disparate, isolated tools has created too much background noise in detection for SOC analysts to successfully manage, and instead has created an ideal environment for attackers to enter. As an industry, we cannot continue to fuel this spiral: it's time to hold security vendors accountable for the effectiveness of their signal. The more effective the threat signal, the more resilient and effective the SOC becomes IT".
Click who to download the full report.
