Respondents in one survey had more than sufficient threat detection tools, but more of these actually led to less effectiveness …

Based on a March–April 2023 survey of 2,000 IT security analysts working at organization* with more than 1,000 employees across the world about cyber security operations, data has revealed factors that could be preventing security operations center (SOC) teams from effectively securing their organizations from cyberattacks.

SOC respondents in the survey cited that their tools were effective; however, the combination of blind spots and a high volume of false positive alerts were preventing them from successfully containing cyber risks such as lateral movements, privilege escalation, and cloud attack hijacking.

Despite the increasing adoption of AI and automation tools, respondents had to interpret data, launch investigations, and take remedial action when faced with alert overload and repetitive, mundane tasks. Two-thirds of respondents cited they were considering or actively leaving their jobs.

Trapped in a “Spiral of More”?

SOC respondents cited not being able to deal with 67% of the daily alerts received, with 83% reporting that alerts were false positives. Furthermore:

    • 63% reported the size of their attack surface had increased in the past three years, with an average of 4,484 alerts being received daily, and nearly three hours a day spent in manual triaging of the alerts.
    • 97% of SOC respondents cited worrying about missing a relevant security event because could have been buried under a flood of alerts, despite most respondents considering their tools were effective overall.
    • 41% believed alert overload was the norm because vendors are afraid of not flagging an event that could turn out to be important.
    • 38% cited that security tools were purchased as a box-ticking exercise to meet compliance requirements, and 47% wished IT team members consulted them before investing in new products.
    • 74% of respondents claimed their job matched expectations, while 67% were considering leaving or were actively leaving their job. Of the latter group, 34% claimed they did not have the necessary tools to secure their organization.
    • 55% of respondents cited being so busy that they felt like they were doing the work of multiple people, and 52% cited believing that working in the security sector was not a viable long-term career option.

According to Kevin Kennedy, Senior Vice President (Products), Vectra AI, which commissioned the survey — a phenomenon called the “spiral of more” was overwhelming respondents across the Asia Pacific region. As enterprises shift to hybrid and multi-cloud environments, security teams are continually faced with more:

    • more attack surfaces
    • more attacker methods that evade defenses
    • more noise
    • more complexity
    • more hybrid attacks

In turn, respondents were overloaded and burned out with signal noise and siloed detection tools.

Kennedy noted: “The surplus of disparate, siloed tools has created too much detection noise for SOC analysts to successfully manage and instead fosters a noisy environment that’s ideal for attackers to invade. As an industry, we cannot continue to feed the spiral, and it’s time to hold security vendors accountable for the efficacy of their signal. The more effective the threat signal, the more cyber resilient and effective the SOC becomes.”

The firm believes that organizations must focus on the things they can control, which is to control the signal and burnout challenges that SOC analysts may be facing. Also, effective security in the SOC does not mean detecting possible threat events but detecting and prioritizing real attacks accurately.

*The US (200), the UK (200), France (200), Germany (200), Italy (200), Spain (200), Sweden (200), the Netherlands (200), Australia and New Zealand (200), and Saudi Arabia and the United Arab Emirates (200).