Cybersecurity is broken.
More to the point, hybrid attack detection and response is failing. According to a 2022 IBM report 83% of organizations suffer multiple breaches each year. Clearly, a new approach is desperately needed. But contrary to the current trend, adding more tools that generate more alerts is not the answer. (Source: IBM Security Cost of a Data Breach Report 2022.)
Drowning in a Deluge of Alerts
In Vectra’s 2023 State of Threat Detection report, SOC analysts typically measure a tool’s effectiveness by whether it flags a threat event and triggers an alert.
But as an industry, is that the standard we want to hold ourselves to when SOC teams are overwhelmed by nearly 4,500 alerts coming from numerous tools every single day?
Who has the time or team to handle such a ridiculous alert volume?
Yes, your SOC team’s job is to protect the hybrid IT environment, but drowning your analysts in thousands of alerts that they can’t possibly deal with is NOT the way to fulfill that mandate.
SOC Analysts Lack Confidence in Their Tools
In that same report, 97% of analysts worry that they’ll miss an event that passes unseen through two-thirds of security alerts that they’ll never have the time to review on any given day.
Not only is this confidence crisis unacceptable, it’s also untenable. How can any SOC team do their jobs with such high signal, alert, and false-positive volumes?
It’s a formula for disaster for both SOC analysts and the hybrid enterprises they’re trying to protect.
The Disappearing SOC Analysts
And by the way, “disaster” isn’t hyperbole. As noted in a prior post, 67% of SOC analysts are considering leaving or are actively leaving the industry, which explains the persistent global deficit of 3.4 million high-skilled security workers.
Those levels of attrition and analyst deficit are attributed to a daily workload laden with stress and frustration.
But it also speaks to a crisis of confidence for security analysts concerning the entire cybersecurity paradigm. If we don’t redefine how we measure the effectiveness of security tools, the integrity of your IT environment will continue to deteriorate as alert volumes increase and analysts continue to exit the industry en masse.
A Smarter Approach Is Here
Our research suggests that your SOC team can improve the situation by avoiding tools that only hinder analysis and add to their workload. Plus, there remains the need to find a way to assess tools’ use for threat visibility, detection accuracy, and analyst effectiveness.
A smart first step would be to change how analysts measure effectiveness. Currently, most measure SOC maturity via factors like reduced downtime (65%), time to detect, investigate and respond (61%), breaches prevented (61%), and the number of tickets dealt with (60%).
But are such metrics really useful or even relevant if unseen attacks and breaches continue to be the norm?
Focus On What You Can Control
As an industry, continuing down the same path of tool proliferation and failure is not the way forward; it’s just feeding the same spiral of more that has put us in this predicament.
A second step to success is to focus on what you can control, not what you can’t. For instance, you can’t control your organization’s attack surface. It will continue to grow and change with digital investments. Nor can you control when, where or how attackers will try to breach your defenses.
But you can control the signal and the burnout challenges impacting your SOC analysts every day.
How can these key goals be accomplished?
The Unrivaled Advantages of Signal Clarity
You start by redefining what effective security is–and what it isn’t. Detecting thousands of possible threats doesn’t help if you can’t tell the urgent from the benign.
But quickly identifying and prioritizing attacks through an integrated signal that provides clarity into the most urgent attacks across the entire attack surface?
That’s a game-changer.
The advantages of such signal clarity are undeniable. The more effective the attack signal, the more cyber-resilient, efficient, and effective the SOC becomes and the better you can defend the organization. Furthermore, improved success rates will help stem the flow of analysts from the industry.
Gaining signal clarity starts with the tools in your tech stack. We think security vendors should be held accountable for the efficacy of their signal, not just the alert volumes they generate. They should also be held accountable for their tools’ lack of attack surface visibility, detection accuracy, and the negative impact those failures have on analyst productivity.
In the meantime, to learn more about Vectra and integrated signal clarity, drop by and see a clear path forward.