Security Operations Center (SOC) analysts are overwhelmed by the number of daily alerts that are taking increasing longer to investigate, according to a new report by CriticalStart, a managed detection and response (MDR) services provider.
When compared to figures from CriticalStart’s inaugural annual report last year, this edition -- The Impact of Security Alert Overload -- indicated that five times as many SOC analysts believe their primary job responsibility is simply to “reduce the time it takes to investigate alerts.” It’s not surprising then that the employee turnover is high, with more than 80 percent of SOC professionals reporting that their facility had experienced a 50 percent churn, up 10 percent from last year.
The survey spanned SOC professionals across enterprises, managed security services providers (MSSPs) and managed detection & response (MDR) providers to evaluate the state of incident response within SOCs from a variety of perspectives, including alert volume and management, business models, customer communications as well as SOC analyst training and turnover.
Key findings from the 2019 report include:
Alert overload:
- 70% of respondents investigate 10+ alerts each day (up from 45% last year).
- 78% said it takes 10+ minutes to investigate each alert (up from 64% last year).
- Nearly half of respondents reporting a false-positive rate of 50% or higher, almost identical to last year.
Response to alert overload/main job responsibility:
- Analysts increasingly believe their role is to reduce alert investigation time or the volume of alerts.
- 38% of respondents said their SOC either tries to hire more analysts or turn off high-volume alerting features, both up significantly from last year.
- 41% of respondents believe their main job responsibility is to analyze and remediate security threats as compared to 70% in last year’s study.
Customer Transparency & Communications:
- 57% said MSSPs and MDRs offer limited to no transparency for customers into investigations or underlying data.
- 73% of respondents interact with customers via email, followed by 47% via a desktop portal.
Annual training:
- Nearly half of respondents say they get 20 or fewer hours of training per year.
SOC analyst turnover:
- In the past year, 80% of respondents report SOC turnover of more than 10% of analysts.
- Nearly half report 10 - 25% turnover.
“The research reflects what we are seeing in the industry – as SOCs get overwhelmed with alerts, they begin to ignore low to medium priority alerts, turn off or tune out noisy security applications, and try to hire more bodies in a futile attempt to keep up,” said Rob Davis, CriticalStart chief executive. “Combine that stressful work environment with no training and it becomes clear why SOC analyst churn rates are so high, which only results in enterprises being more exposed to risk and security threats.”