SOCs still overwhelmed by alert overload, struggle with false-positives
Security Operations Center (SOC) analysts continue to face an overwhelming number of alerts each day that are taking longer to investigate, leading five times as many SOC analysts this year to believe their primary job responsibility is simply to “reduce the time it takes to investigate alerts”.
The most striking finding is the direct toll the alert overload problem is having on SOC analysts with more than 8 out of 10 reporting that their SOC had experienced at least 10% up to more than 50% analyst churn in the past year.
CRITICALSTART surveyed SOC professionals across enterprises, Managed Security Services Providers (MSSP) and Managed Detection & Response (MDR) providers to evaluate the state of incident response within SOCs from a variety of perspectives, including alert volume and management, business models, customer communications as well as SOC analyst training and turnover.
Alert overload
70% of respondents investigate 10+ alerts each day (up from 45% last year) while 78% state that it takes 10+ minutes to investigate each alert (up from 64% last year). In addition, false-positives remain a struggle, with nearly half of respondents reporting a false-positive rate of 50% or higher, almost identical to last year.
Response to alert overload & main job responsibility
With the onslaught of alerts, 38% of respondents say their SOC either tries to hire more analysts or turn off high-volume alerting features deemed too noisy, both up significantly from last year. The number of respondents that feel their main job responsibility is to analyse and remediate security threats has dropped dramatically from 70% down to 41% as analysts increasingly believe their role is to reduce alert investigation time or the volume of alerts.
Customer transparency & communications
A clear majority of respondents (57%) report that MSSPs and MDRs offer limited to no transparency for customers into investigations or underlying data. And in the age of the mobile enterprise, email is still king for customer communications – 73% of respondents report interacting with customers via email, followed by 47% via a desktop portal.
Annual training
Nearly half of respondents say they get 20 or fewer hours of training per year, a surprise given today’s dynamic threat environment.
SOC analyst turnover
In the past year, 80% of respondents report SOC turnover of more than 10% of analysts, with nearly half reporting 10-25% turnover.
“The research reflects what we are seeing in the industry – as SOCs get overwhelmed with alerts, they begin to ignore low to medium priority alerts, turn off or tune out noisy security applications, and try to hire more bodies in a futile attempt to keep up,” said Rob Davis, CEO at CRITICALSTART. “Combine that stressful work environment with no training and it becomes clear why SOC analyst churn rates are so high, which only results in enterprises being more exposed to risk and security threats.”
source helpnetsecurity
Industry: Cyber Security News
Latest Jobs
-
- SOC Manager. SC Clearance. Immediate opportunity.
- Unknown
- N/A
-
Permanent SOC Manager. SC cleared / clearable, London / Birmingham. SOC Manager needed to replace a SOC contractor I placed into a client who is due to complete their assignment at the end of March. The ability to achieve SC clearance is essential. Looking for someone that is a blend of strategic stakeholder engagement with strong technical skills. The role will sit in a relatively new SOC environment. The position is to setup, implementation and management of resources to help with the initial and on-going stages of a new SOC. Experience engaging with and managing client stakeholder relationships as well as 3rd party relationships is critical. The role will involve; setting up, implementing and fine tuning the various initial stages of a SOC environment. Experience establishing and building out technical process / operational capability, managing of technical teams (analysts, engineers and architects, creation of policy / playbooks, fine turning is key. SPLUNK is the tooling of choice… Interviewing immediately. Set up a call with me today on https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-manager-role Direct contact details Chris.Holt@dclsearch.com or 07884666351
-
- Security engineer. Financial Services. UK. Permanent
- Unknown
- N/A
-
CH7863 Security engineer. End User . Financial Services Security Engineer needed to monitor and manage a security suite of tools within an End User environment. The Security Engiener will be responsible monitoring, configuring, fine tuning, incident management and generally improving the security tool capability. Specific experience with CyberArk, Tripwire Log Center and Tripwire Enterprise is highly desirable). Current experience with Vulnerability management and penetration testing is highly desirable. Specifically the ability to effectively manage 3rd party pen tests. You will be working within a specialist security team reporting to the CISO. Experience working within an end user environment within financial services is highly desirable. Flexible location. This is an exclusive role to DCL Search & Selection. To book a call please use my Calendy link https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-role-
-
- DevSecOps - Security design / review consultant. SC Clearance. London
- London
- N/A
-
CH7858 London £70,000 DevSecOps - Security design / review consultant. DevSecOps - Security design / review consultant will ensure that newly created, public facing apps are secure by design and by default by aligning them to current / best practice security policies and standards into the design phases. The individual must have a technical software / application development background with specalist experinece in secure architecture design. (Frameworks, processes, best practice etc) Practical experience translating and ensuring that the OWASP top 10, ISO27001, HMG frameworks requirements are reviewed and embedded into project designs which are implemented is essential. Experience working projects through a full development lifecycle is key. You will work along side the design and project teams to idenitfy and mitigate risks throughout the design phases. This is a permanent role. SC clearance is essential as is the ability to get to the London office. (When appropiate #covid) Security DevSecOps consultant. To arrange a discreet call book via https://calendly.com/chris-holt/devsecopp--security-design-review-consultant
-
- CONTRACTOR Cyber Vulnerability Analyst, NESSUS, Rapid 7, SC clearance required.
- London
- N/A
-
Cyber Vulnerability analyst NESSUS, Rapid 7, needed for IMMEDIATE 3 month contract MUST have / be able to achieve UK SC clearance role to work within a live environment within a public sector department. The individual must have experience in using various security methods and tools such as Rapid7 and NESSUS scan for / identify vulnerabilities, prioritise them according to risk and raise appropriate tickets for remediation / follow up. In depth experience utilising Nessus highly beneficial. Current cyber public sector experience highly desirable.