Take Control of Noisy Cybersecurity Alerts in the SOC
Breakthrough innovation arises primarily in response to two conditions. One, when new technology emerges that creates new demand by fulfilling needs customers didn’t know they had. Think smartphones. A generation ago, people didn’t know they needed to be tethered to a phone the size of their palm that was also a camera, a bank, an encyclopedia and a shopping mall. Two, when new challenges arise that require innovation to address them. Think electric cars and other forms of renewable energy to combat climate change.
Until the advent of artificial intelligence (AI) and machine learning (ML), innovation has been incremental in cybersecurity. Bad actors are now using AI and ML to mount ever more sophisticated attacks that exploit a growing attack surface – and are creating a lot of noise and false alarms in the security operations center (SOC). So too must organizations adopt automated, data-driven cyber defenses that detect and mitigate threats before they can cause damage.
At this year’s RSA conference, the FBI warned of the AI threat and its reality today.
“Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike,” said FBI Special Agent in Charge Robert Tripp. “These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”
Over the last few years, nearly two thirds (63%) of SOC analysts report the size of their attack surface has increased, finds Security Magazine. What’s more, Forescout’s 2023 Threat Roundup research discovered the enterprise is experiencing 13 attacks every second. Not all them will be high or critical severities but all of them need to be managed responsibly.
Managing the efficiency of threat detection and cyber incident response is crucial. Being able to quickly and accurately detect and respond helps everyone reduce risk and the cost of securing the enterprise. People are the ones having to manage all of the alarm bells going off. If you want to avoid SOC analyst burnout and the employee turnover that results from it, you need the right tools for the job.
Here’s a look at one of the most pervasive and inefficient SOC challenges and how to help your SOC analysts overcome being overwhelmed.
More cybersecurity alerts mean more false positives
Cyber threat detection and response is now more critical than ever. The financial consequences of a breach are growing, and the longer you take to discover or detect a breach, the more costly it will be. The average cost of a breach in 2024 is $4.88 million – 10% higher than in 2023, according to IBM. Costs are higher in specific industries too. Healthcare is the costliest. Financial services is $6.08 million – 22% higher than the global average. For good reason, cybersecurity is now a C-suite and board-level concern.
Security operations centers (SOCs) are on the front lines. And they’re being flooded with more alerts to sift through than ever:
- Expanding attack surface. The attack surface has grown significantly over the past few years. We’re not just talking about traditional IT or campus environments anymore. There are OT, IoT and IoMT devices – all with vulnerabilities that can be exploited. There are all the people logging in and working from anywhere. There’s the cloud. There are countless SaaS applications that we now rely upon. And there’s the increasingly connected global supply chain.
- Data, data everywhere. The modernization of applications has resulted in a massive increase in the volume and speed of data being generated. Cloud, containers, serverless applications… all this ephemeral computing power generates mountains of data that can provide signals of an attack and important context for an investigation. Much of it may be noise, but for security reasons it all needs to be considered and managed.
- Increasing threats. The threat landscape has evolved significantly in recent years, and it continues to change. Threat actors have become more sophisticated in their capabilities and weaponry. They’re able to launch complex, automated, multi-stage attacks quickly and precisely. And they can scale rapidly.
- Tool complexity. SOC teams must confront this landscape with a set of complex tools that lack integration or automation. Essential SOC tools include a security information and event management (SIEM) system; security orchestration, automation and response (SOAR) system; and user and entity behavior analytics (UEBA); as well as security analytics and a threat intelligence platform. To stitch together an investigation, analysts must toggle from one application to another, losing context and wasting precious time along the way.
All of these can contribute to high alert volume and excess noise in the SOC.
Why fatigue from cybersecurity alerts are today’s SOC reality
Based on a 2020 Forrester study of more than 300 SOCs, the average SecOps team must deal with about 450 alerts per hour, or 11,000 alerts per day. Couple that with staff and tool constraints, and the upshot is that over a quarter of alerts are simply never addressed.
As many as half of these alerts may be false positives, so maybe it’s not so bad that they aren’t addressed. But how do you know which ones can be ignored? You don’t. That’s a real problem, because enterprises are spending fighting false positives rather than legitimate attacks.
That was four years ago.
Now consider that often the security budget is shared between reactive activities (incident response) and proactive activities (threat hunting, risk exposure and management). If you’re spending all that time reacting to unvalidated alerts, how does that impact the time and budget available for proactive measures and things like governance, risk, compliance?
Why existing threat detection and response approaches fall short
There are four basic approaches to threat detection and response.
- Many SIEMs are noisy or require a ton of rule building
You can operate your own SOC in-house with a tech stack centered on a traditional SIEM. But many SIEMs were primarily designed for log storage and search; only later were threat engines bolted on. Sometimes they come empty, so you must source rules yourself. That requires building a team with specialized expertise in rule building and tuning as well as log onboarding. Even then, SIEMS can be very noisy with their single-stage learning model that generates too many low-fidelity alerts. - Custom data lakes are complex
You might take that inhouse SOC and try to build a custom data lake. Yes, that gives you a greater sense of control and ownership as you can customize it to your specific requirements. But a data lake by itself doesn’t do anything. That requires even more specialized expertise. It’s going to be labor intensive and time consuming, not to mention expensive. To extract value, you still need a threat detection engine and rules to actually detect threats.
Go deeper: Learn the value and importance of Security Operations Center integration. - Lock in with MSSPs
Third, you could outsource threat monitoring and detection to a managed security services provider (MSSP) that manages your SIEM and sends you alerts when a response is requir/blog/unified-defense-the-importance-of-security-operations-center-integration/ed. That helps you overcome the skills shortage problem, but you may be locked into a fixed, expensive contract. If the MSSP is relying on your traditional SIEM without using a modern extended detection and response (XDR), they’re just going to push the same low-fidelity alerts over to you. Or they may operate as a black box, providing you with very limited visibility into their threat detection or investigation process. - Limitations in vendor requirements or attack surface visibility
You might try using a traditional XDR alongside your SIEM. Having a unified console should improve efficiency, but traditional XDRs typically evolved from endpoint detection and response (EDR) solutions. These vendors often require you to use their tech stack of endpoint, network and cloud security products instead of leveraging your existing investments. They may also offer limited support for third-party data sources to cover OT/ICS, IoMT and other cyber asset types, as well as custom rule creation. Moreover, if you’re charged for log storage you’ll experience highly variable and unpredictable billing – but can certainly expect higher charges when you add more data sources to detect more threats.
Ultimately, none of these options fully addresses the modern threat detection and response challenge.
Take control of high-volume cybersecurity alerts with breakthrough innovation
Forescout has addressed the limitations of traditional XDRs with Forescout TDR which converts telemetry and logs into high-fidelity, SOC-actionable probable threats. The SaaS solution automates the detection, investigation, hunt for and response to advanced threats across all connected assets – IT, OT, IoT and IoMT – from campus to cloud to data center to edge. It combines essential SOC technologies and functions into a unified, cloud-native platform, viewable and actionable from a single console.
Forescout TDR normalizes and enriches ingested data from more than 180 vendor data sources, including the solutions you already use. Next, our two-stage threat detection engine uses more than 1,500 verified rules and a blend of five techniques – cyber intel, signatures and TTPs, UEBA, statistics and outliers, and context-aware AI/ML – to weed out false positives and generate high-fidelity, high-confidence threats that warrant human investigation. Put another way, it generates one detection an hour from every 50 million logs. That’s data-driven cyber defense – breakthrough innovation – in action.
Improve your SOC efficiency with better detection and response of true threats. Learn More.