New research out in the past few weeks show that false positives and alert fatigue continue to plague security operations centers (SOCs) worldwide. And, according to the research, it's killing the SOC's ability to keep teams intact and to respond quickly to threats.
The most recent report out earlier this week shows that close to half of security analyst teams battle false positive rates of 50% or higher from their security tooling. Meantime, another report released earlier this month from Ponemon Institute and SIEM provider Exabeam shows that as much as a 25% of a security analyst's time is spent chasing false positives—sifting through erroneous security alerts or false indicators of confidence—before being able to tackle real findings. That means that every hour an analyst spends on the job, they're wasting 15 minutes on false positives. On average, the typical organization wastes anywhere between 424 hours and 286 hours per week on false positives.
Another similar Ponemon report sponsored by Devo on the state of SOC capabilities and threat hunting today shows that this wasted time is pushing false positives into standing as one of the top five issues that make the SOC ineffective. Some 49% of organizations report it as a top challenge.
False positives are a subset of a much bigger problem in alert volume that is crushing security analysts and threat hunting teams today. At the C-level of technology and cybersecurity executives, leadership puts alert overload as one of the top three main issues plaguing security organizations, alongside a lack of automation and a lack of integration. Approximately 67% off CISOs, CIOs, and CTOs told Fidelis Cybersecurity that alert overload is one of the main issues their teams face. This tracks with the other recently released report. For example, Ponemon and Devo found that the number one challenge posed by threat hunting teams is that there are simply too many IOCs for them to effectively track—that was cited by 61% of respondents as a top threat hunting challenge.
As one independent cybersecurity consultant, Joshua Goldfarb, puts it, the data points bombarding security analysts today is causing them to experience "sensory overload." Goldfarb writes:
If you aren't familiar with the term "alert cannon," you should be. Most security organizations contend with noisy, imprecise rule logic that produces an exorbitant number of false positives. The result is a cannon of alerts that can bury even the largest security teams in noise. Developing precise, high fidelity, low noise alerting designed to incisively root out activity indicative of the prioritized risks is the right way to filter out all of that unhelpful noise.
The inability to do just that is hurting SOC team efficacy and engagement in a big way. The Ponemon/Devo study showed that only 22% of companies can report a mean-time-to-resolution (MTTR) of hours or days. Longer MTTRs are way more prevalent. Approximately 42% report their MTTR window is measured in months or years.
All of the wheel-spinning on false positives and alert overload wears on security analysts long-term, eventually causing serious burnout and turnover throughout SOC teams. Some eight in 10 teams experienced measurable churn over the last year, and two in 10 reported more than 40% analyst churn in that time. This makes it even harder than it already is to keep staffing levels in line with the work—in 2019 some 38% of SOCs report that they're understaffed.
This is a considerable problem considering that the skills shortage is typically cited as the number one challenge in maintaining SOC efficacy, above false positives and alert volume. Clearly it is all interrelated—the Fidelis study, for example, reported that the two biggest barriers to threat hunting are a lack of time (49%) and a lack of skills (41%). Clearly the pain points are all interconnected.