Hot Topics
CISO Suite Security Awareness Security Bloggers Network 
SBN

Eliminating SOC fatigue in today’s distributed, hybrid workplace

Avatar photo by Mark Guntrip on February 7, 2023

Illustration of tired man sitting in front of SOC, servers

In a word, today’s threat landscape is relentless. According to Check Point Research, cyberattacks reported globally in 2022 increased by 38% compared to 2021—reaching an all-time high in Q4 of 1168 weekly attacks per organization. This includes increasingly sophisticated ransomware, drive-by attacks, phishing and Highly Evasive Adaptive Threats (HEAT) that target web browsers and employ techniques to evade multiple layers of detection in current security stacks. Often delivered through the web, these attacks are designed to give malicious actors initial access to the victim’s network, so they can lay in wait, worm their way through the network in search of high-profile targets and ultimately deliver their malicious payload.

The main reason today’s threat landscape can be described as relentless is the deluge of alerts generated by security monitoring tools—many of which actually come from legitimate business activity. Digital transformation, a hybrid workforce, and an increasingly distributed infrastructure are facilitating new behaviors across the network, leading to an avalanche of alerts. For example, an employee logging on from a new location or downloading a set of data they’ve never accessed before is enough to trigger an alert. A user accessing a personal dropbox account from a company managed laptop could trigger an alert. These qualify as abnormal events, but put within the right business context, are actually quite innocent.

Yet, despite this benign intent, each of these events poses a risk to the security posture of the organization and needs to be investigated, prioritized and closed—creating a massive workload for security operations center (SOC) teams. Given the volume, variety and veracity of both legitimate attacks and innocuous events, SOC teams are under immense pressure to identify and respond quickly to keep the organization safe. This is starting to take its toll.

How is the current threat landscape impacting SOC teams?

SOC technicians are on the front lines of these attacks, responding to alerts that have flagged abnormal activity in the network or on an endpoint. It takes a lot of time to investigate each event, determine its threat level, flag it for appropriate remediation and close the ticket. At a certain point, threat identification turns into a cyber version of finding a needle in a haystack—causing fatigue, burnout and a distorted distribution of SOC resources.

Why does the growth in alerts cause SOC fatigue?

Understandably, responding to hundreds of alerts every day can leave SOC technicians a bit weary—especially when you consider that at least a fifth of alerts end up being benign, according to recent research. Yet, each event requires a human to investigate, analyze the findings and make a recommendation for remediation. Even an army of SOC technicians working around the clock would not have the time to conduct a proper investigation into the thousands of alerts that are flagged each day. In order to fulfill their mission to protect the network from today’s highly sophisticated threats, SOC teams need to be both efficient and effective.

What is the impact on the organization’s security posture?

Spending all your time investigating SOC alerts means that your technicians are not able to spend time on other, more strategic security projects such as advanced threat intelligence. This makes it more likely that a truly harmful event goes undetected, breaches the network and causes disruption—either through data exfiltration, taking remote control of critical business systems, or both.

Why are organizations overwhelmed with SOC alerts?

It’s math. There is only so much time in the day to investigate SOC alerts, and there are simply too many for a reasonable number of technicians to deal with them all. Organizations can’t just throw money at the problem (outsourcing SOC operations to a managed service provider, for example) due to budgetary constraints. Churn is also an issue. Burnout creates turnover, and new technicians need time to be on board and get up to speed. Most critically, however, is the fact that most organizations continue to rely on a detect-and-respond approach to cybersecurity.

How can organizations reduce SOC alerts and focus on what really matters?

Organizations need to layer in a proactive, preventative approach in front of their existing security stack while automating event monitoring and response. This two-tiered approach stops malicious events from happening in the first place and takes detection and remediation of the large number of alerts that aren’t an issue out of the hands of humans. This allows SOC technicians to focus on the truly malicious threats targeting the organization.

Prevention technologies such as isolation technology are the only way to stop malware and other threats before they gain initial access to an end device. Isolation works by creating a virtual air gap between users’ browsers and the Internet, preventing any content—whether it’s good or bad, known or unknown—from accessing the endpoint. Instead, fetching and executing content happens in a remote browser in the cloud where HEAT attacks can be identified, quarantined and eradicated without getting close to their intended target. This preventative approach through isolation eliminates the event from happening in the first place—dramatically reducing the amount of alerts generated in the SOC.

The remainder of the alerts can then be investigated and resolved through automation. Consolidating these alerts on a single pane of glass with the proper business context allows for easy, seamless remediation through a rules-based engine without any human interaction required. Alerts that need to be escalated can then be sent to a technician who now has the time, context and motivation to conduct a proper investigation.

Working together, prevention and automation reduce alerts, prioritize events that need further investigation and keep the organization safe from today’s highly sophisticated HEAT attacks.

Preventing highly evasive web threats: download eBook

The post Eliminating SOC fatigue in today’s distributed, hybrid workplace appeared first on Menlo Security.

*** This is a Security Bloggers Network syndicated blog from Menlo Security authored by Mark Guntrip. Read the original post at: https://www.menlosecurity.com/blog/eliminating-soc-fatigue-in-todays-distributed-hybrid-workplace/

Mark Guntrip , , , , ,
Avatar photo

Mark Guntrip

Mark Guntrip has over 20 years experience in security marketing including strategy, product management, and product marketing across enterprise and commercial markets. Specific market areas include advanced threat protection, web security, cloud-based security, firewalls, and managed security services. He has a proven track record of building success in new markets as well as promoting growth within more established areas. Prior to Menlo Security, Guntrip held various management roles with Proofpoint, Symantec, and Cisco.

mark-guntrip has 17 posts and counting.See all posts by mark-guntrip