SOC teams are frustrated with their security tools

October 14, 2024

For businesses, security begins in the Security Operations Center. Whether enterprises maintain their own SOCs or rely on a third-party, protection from malware and other cyberattacks requires real-time detection by trained professionals who can identify a cyberattack mid-execution and take steps to detect it and, if possible, halt it. To make this possible, SOC analysts rely on a suite of security tools, many of which come from third parties. However, a survey of SOC practitioners conducted by Vectra AI indicates that these tools may suffer from some core issues that make the world’s overall security footing worse rather than better.

The biggest problem, according to the survey, is the sheer volume of noise generated by these tools. The purpose of these tools is to identify crucial traffic that could be an attack in progress, but evidently most tools err too far on the side of caution. Out of all the alerts they receive, survey takers said they would only classify 16 percent as genuine cyberattacks, with the rest being noise and false positives. This is a serious problem. The more time security practitioners have to spend dealing with false positives, the less time they have to analyze critical alerts that might be genuine cyberattacks. Timing is everything, and the difference of a few minutes in responding to a ransomware attack might be the difference between a single device or an entire network being compromised. Anything that causes delays, or worse, alerts being ignored, is a serious security issue. Security practitioners agreed that due to the sheer volume of noise, they were realistically only able to deal with 38 percent of the alerts that come across their desks.

Much of the blame for the noise problem is being heaped upon vendors. 50 percent of practitioners surveyed believed that the third-party tools purchased by their SOCs were more of a hindrance than a help. 47 percent did not trust their tools to work properly, and 54 percent said the tools they worked with were increasing their workload rather than reducing it. The sheer number of tools at play may also be at fault, since 73 percent of practitioners said their SOC had more than 10 tools in place and 45 percent had more than 20. With all these issues combined, 71 percent of practitioners agreed that they were likely to miss a genuine security threat due to the volume of noise.

SOC teams are increasingly turning to AI-based tools to make up the shortfall. 85 percent of surveyed practitioners said their level of investment and use of AI has increased in the past year, and 67 percent agreed that AI had a positive impact in their ability to identify and deal with threats. 75 percent said AI has reduced their workload, and 89 percent plan to adopt more AI-powered tools over the next year. We can hope that AI will be effectively utilized in the SOC to address the noise problem and create an environment where SOC analysts are free to focus on the critical issues they are there to respond to.

More from Blackwired

October 7, 2024

NIST proposes barring some of the most nonsensical password rules

NIST recommends longer passwords, no resets, and no special characters. Use random passwords or memorable passphrases stored in a manager.

Read more
September 30, 2024

Don’t panic and other tips for staying safe from scareware

This social engineering tactic convinces users they are compromised, urging them to download malware disguised as antivirus software.

Read more
September 23, 2024

What is Cross-Site Scripting and How to Prevent it?

To mitigate risks, enterprises should monitor vulnerabilities, deploy rapid patches, and use trusted libraries for HTML sanitization.

Read more

© 2024 Blackwired. All Rights Reserved.