Too Many False Positives? Detox Your SOC

Too Many False Positives? Detox Your SOC

Even after implementing SOAR, SIEM, IDPS and other technologies to improve security insights, companies are still spending thousands of hours triaging alerts that are mostly false positives. The alert workload is driven by many factors, including:

  • More security tools: The average enterprise uses 75 security products to secure their network.
  • More data: By 2025, IDC says worldwide data will grow 61 percent to 175 zettabytes, with as much of the data residing in the cloud as in data centers.
  • More IoT devices: Gartner forecasts that 20.4 billion connected things will be in use worldwide by 2020.

Organizations have realized that the time and resources they put into alert investigation aren’t sustainable given the ever-increasing volume of alerts. SOCs are forced into a “do what you can do” strategy that focuses on prioritizing alerts for high-value, high-risk assets, tuning alert thresholds to reduce alert volume, and, worst of all, simply ignoring alerts.

Enterprise Strategy Group’s research reveals that 42 percent of cybersecurity professionals say that their organization ignores a significant number of security alerts because they can’t keep up with the volume. When this group was asked to estimate the percentage of security alerts ignored at their organization, perhaps the most surprising result is that 11 percent said their organization ignores more than 75 percent of security alerts (see chart below). All I can say is, Wow!

Organizations are ignoring alerts. Of the 42 percent of organizations that say they ignore some alerts, 11 percent ignore more than 75 percent of them.

Some SOC teams are trying to hire more analysts to reduce their alert load. However, they are discovering that this is not only expensive, but also difficult to implement since there aren’t enough cybersecurity professionals to go around. (ISC)2, the world’s largest nonprofit association of certified cybersecurity pros, estimates that there is a global gap of nearly 3 million cybersecurity positions.

The Cure is Worse Than the Disease is a new Lastline white paper that explores why coping strategies for dealing with alert fatigue are putting organizations at greater risk for loss of data, customers, and reputation.

This paper discusses why the SOC team needs a better approach, one where the SOC team is not constantly choosing which alerts to investigate, but instead significantly reduces false positives by automating threat detection and response. Details include:

  • AI that distinguishes between benign and malicious behavior to dramatically reduce false positives
  • High-fidelity alerts with relevant context and linkage with data from across the network
  • Real-time collaborative threat intelligence to protect against evolving threats
  • Automated response enabled by accurate detection and integration with existing tools

Download The Cure is Worse Than the Disease white paper.

Teresa Wingfield

Teresa Wingfield

As a cyber security evangelist at Lastline, Teresa Wingfield enjoys sharing new perspectives on top security challenges such as SOC efficiency, sophisticated threats, network visibility, and hybrid data center protection.Teresa has more than ten years of security experience at leading companies such as McAfee (cloud and data center security), VMware (mobile security) and Symantec (virtual machine protection and website security).She has also worked at several startups in the endpoint detection and response and compliance fields.Teresa holds a M.S. in Information Technologies from the Massachusetts Institute of Technology.
Teresa Wingfield