MSSPs Waste Hours of Time on False Alerts
Managed security services providers (MSSPs) are wasting enormous resources processing useless security alerts, research has revealed.
Advanced Threat Analytics (ATA) found that the problem impacts staffing, operational business models and security effectiveness. Additionally, the survey found that incident responders often cope with this problem by either reducing the sensitivity of security equipment or ignoring alerts altogether.
ATA polled nearly 50 MSSPs to evaluate the state of incident response within their security operations centers (SOCs). Nearly 45% of respondents investigate 10 or more alerts each day (22% investigate 10 and 20 alerts each day, 11% investigate 20-40 daily, and 11% investigate 50 or more).
This is time-consuming: 64% state that, on average, it takes 10 minutes or more to investigate each alert; 33% say it takes between 10 and 20 minutes to investigate each alert, 20% say it takes between 20 and 30 minutes, and 11% state it takes 30 minutes or more.
Unfortunately, a full 44% of respondents report a 50% or higher false-positive rate: About a fifth (22%) experience a 50-75% false-positive rate, while the rest report a rate of 75-99%.
“This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours – in some cases, more than five – each day investigating them, many of which turn out to be false-positives,” said Alin Srivastava, president, ATA. “Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents.”
Staff inefficiency isn’t the only outcome associated with alert overload. It’s also forcing SOCs to compromise in other critical areas as well. When asked what they do if their SOC has too many alerts for analysts to process, respondents said they tune specific alerting features or thresholds to reduce alert volume (67%); ignore certain categories of alerts (38%); turn off high-volume alerting features (27%); and hire more analysts (24%).
“Many MSSPs are expanding their teams in an effort to keep up with alert volume, which isn’t a sustainable model, while others change operational processes, like turning off security features or ignoring certain alerts, which greatly increases the risk that legitimate security events will go undetected,” continued Srivastava. “The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated rather than in traditional SIEM [security information and event management] and incident orchestration solutions, which only reduce the time it takes to investigate each one.”
When survey respondents were asked what they felt was the main responsibility of their job, 70% said analyzing and remediating security threats; 20% said limiting the number of alerts sent to clients for review; 5% said investigating as many alerts as possible; and the remaining 5% said reducing the time it takes to investigate a security alert.
Source: Information Security Magazine