The failing threat detection tools and employee burnout
Vectra AI released the findings of its 2023 State of Threat Detection Research Report, providing insight into the "spiral of more" preventing security operations centre (SOC) teams from effectively securing their organisations from cyberattacks.
Today's security operations (SecOps) teams protect progressively sophisticated, fast-paced cyberattacks. Yet, Vectra AI highlights that the complexity of people, processes, and technology at their disposal is making cyber defence increasingly unsustainable.
The ever-expanding attack surface combined with evolving attacker methods and increasing SOC analyst workload results in a "spiral of more", preventing security teams from effectively securing their organisation.
Based on a survey of 2,000 SecOps analysts, including 200 from Australia and New Zealand (ANZ), the report explains why the current approach to security operations is not sustainable.
Manual alert triage costs organisations billions globally as burnout becomes more prolific and security analysts leave the profession for a less stressful career.
The report highlights that security analysts are tasked with detecting, investigating and responding to threats as quickly and efficiently as possible while being challenged by an expanding attack surface and thousands of daily security alerts.
The study found that 69% of ANZ respondents report the size of their attack surface has increased in the past three years, and on average, SOC teams receive 4,450 alerts daily and spend nearly three hours a day manually triaging alerts.
Furthermore, security analysts cannot deal with 66% of the daily alerts received, with 83% reporting that alerts are false positives and not worth their time.
Although most SOC analysts report their tools are effective, the combination of blind spots and a high volume of false positive alerts prevent enterprises and their SOC teams from successfully containing cyber risk.
Vectra AI states that without visibility across the entire IT infrastructure, organisations cannot identify the most common signs of an attack, including lateral movement, privilege escalation, and cloud attack hijacking.
The study also found that globally, 97% of SOC analysts worry about missing a relevant security event because it's buried under a flood of alerts. However, the vast majority deem their tools adequate overall. In ANZ, 58% stated they worry every day.
In ANZ, 37% believe alert overload is the norm because vendors are afraid of not flagging an event that could turn out to be important. In addition, only 13% stated threat detection tools are not noisy.
34% claim that security tools are purchased as a box-ticking exercise to meet compliance requirements, and 44% wish IT team members consulted them before investing in new products.
Lastly, 37% said they were sick of vendors selling new security products that add to the number of alerts rather than improving threat efficacy.
Despite the increasing adoption of AI and automation tools, the security industry still requires many workers to interpret data, launch investigations, and take remedial action based on the intelligence they are fed.
Faced with alert overload and repetitive, mundane tasks, Vectra AI says two-thirds of security analysts report they are considering or actively leaving their jobs, a statistic that poses a potentially devastating long-term impact on the industry.
The study found that despite 79% of ANZ respondents claiming their job matches expectations, 58% are considering or actively leaving their job.
The top three reasons for leaving their profession were: 37% say they spend all their time sifting through poor quality security alerts, 44% feel stressed, and 45% say they don't feel they have the tools to secure their organisation.
Moreover, 55% of ANZ analysts claim they're so busy that they feel like they're doing the work of multiple people, and 56% believe working in the security sector is not a viable long-term career option.
Chris Fisher, Director of Security Engineering, Vectra AI, Asia Pacific & Japan, says: "SOC teams are, understandably, overwhelmed."
"The report highlights the disconnect between how teams view their security tools and solutions and the fact that this tooling not only isn't supportive but is greatly adding to existing pressure."
"We all know that hackers are becoming more sophisticated, but the solution is not to create more alerts. We need to be investing in solutions that look more closely at attacker behaviour and are able to filter out what doesn't require further attention and what could be more serious."
"From here, SOC teams can prioritise real attacks with accuracy. Organisations and security leaders must be willing to demand signal clarity," says Fisher.
Kevin Kennedy, Senior Vice President of Products, Vectra AI, says: "As enterprises shift to hybrid and multi-cloud environments, security teams are continually faced with more - more attack surface, more attacker methods that evade defences, more noise, more complexity, and more hybrid attacks."
"The current approach to threat detection is broken, and the findings of this report prove that the surplus of disparate, siloed tools has created too much detection noise for SOC analysts to successfully manage and instead fosters a noisy environment that's ideal for attackers to invade."
"As an industry, we cannot continue to feed the spiral, and it's time to hold security vendors accountable for the efficacy of their signal. The more effective the threat signal, the more cyber resilient and effective the SOC becomes," says Kennedy.