One of the key findings from the survey of MSSP analysts conducted by Advanced Threat Analytics is that majority of the respondents report a false-positive security alert rate of more than 50%.
Many analysts spend 5-6 hours a day investigating security alerts, with high false-positive rates. This frequently compromises security effectiveness and prevents security analysts from responding to actual threats and incidents.
Alert Overload has real consequences
Issues from inundated flow of thousands of security alerts per day have far-flung effects on Managed Security providers.
To manage the negative effects of alert overload, analysts put a lot of effort in tuning the alert, setting up thresholds, and create rules for reducing the alert frequency. Many analysts have additionally put a process in place to ignore a few categories of alerts, based on their patterns and experience dealing with those.
One of the largest retail company’s data security breach in recent years could have been averted had it not been for the “Alert Fatigue” at their SOC. There are highly damaging consequences of this alert overload, and SOCs & MSSPs should tune appropriately.
Seventy percent of MSSP’s analysts identify their primary role as analyzing & remediating security threats. While only 20% believe their primary responsibility is tuning properly and limiting the alerts.
To address alert overload, SOCs and MSSPs should invest in incident orchestration technology and SIEMs that have that capability to write advanced rules and tuning algorithms.