Cybersecurity Alert Accuracy and the Staffing ShortfallFatigued SecOps teams can spend a third of their time chasing false positives, alert accuracy is key to enhance efficiency and morale By: Alexa Levine, Product Marketing
It's no secret that there aren't enough skilled cybersecurity professionals in the workforce, and recruiting, retaining, and training them is an expensive feat.
To meet your ever-intensifying cybersecurity challenges, you must improve the productivity of your SecOps team. And if you're having trouble with that, you may even turn to a trusted security partner who can effectively and efficiently augment your staff to keep your organization secure.
One of the best ways to improve the productivity of your in-house and extended security staff is to improve the accuracy of your cybersecurity alerts. In fact, alert accuracy enhances SecOps productivity in three ways:
- Cybersecurity alert accuracy eliminates a huge amount of wasted time. The typical SecOps team spends 25-35% of its time chasing false positives1. That time is much better spent on real threats — especially proactively hunting for active, hidden threats that have already breached your environment.
- Cybersecurity alert accuracy mitigates the fatigue that further erodes productivity and induces burnout. In addition to wasting SecOps time, an excessive volume of meaningless (and trivially meaningful) alerts causes teams to miss the important ones. Alert fatigue also gives your team literal headaches and may make them think about quitting security altogether. And with a shortage of security talent in the market, that's risky business.
- Cybersecurity alert accuracy helps teams more quickly and easily discover, identify, and neutralize the most dangerous threats your organization faces. With the right information, SecOps won't just see when something's amiss. They'll also be able to determine exactly what is amiss and respond accordingly — especially if it's an advanced persistent threat that's already breached your environment.
What does it take to achieve alert accuracy and thereby boost SecOps productivity and better prevent a damaging attack on your organization? Here are three key success factors that can make the difference:
Factor #1: Granular threat intelligence
Many cybersecurity leaders assume that all threat intelligence is created equal. That's false. Sure, security vendors read each other's bulletins — so they all tend to know about the same attacks at about the same time.
But don't conclude that two vendors are delivering identical threat intelligence just because they both alert their customers about the same threats at the same time. One of them may have performed vastly superior analysis of that named threat — and can therefore better identify the specific subtle and dispersed behavioral “breadcrumbs” that indicate the presence of that threat in your environment.
Merely knowing that a threat exists, in other words, is no guarantee that your SecOps team can effectively operationalize detection of that threat. Only through rigorous expert analysis of a threat can your security vendor:
- Detect a threat when it is present.
- Avoid creating a boatload of false positives in the process.
- Develop automated countermeasures to automatically protect against new types of threats in the future.
Factor #2: Broad telemetry
As noted above, the “breadcrumbs” that today's sophisticated attackers leave can be very subtle and widely dispersed. That's why it's essential to gather telemetry from a wide range of sources — including endpoints, networks, cloud, administrative systems, and business applications.
Only by drawing from such a large, diversified dataset can SecOps accurately detect the activity of threat actors who increasingly avoid endpoint detectors altogether.
Many organizations tend to rely excessively on endpoint telemetry and avoid making the move past EDR to procure a true XDR solution. If this sounds familiar, be forewarned: you will likely continue to see excessive false positives due to inherently setting endpoint alert thresholds too low. Endpoint dependency clouds your organization's ability to spot meaningful alerts.
But if you draw from the full range of telemetry that XDR enables, you can better avoid those false positives — because SecOps will have lots of other detections as fail-safes against missing an attack.
Perhaps more importantly, a richer telemetry dataset will enable SecOps to more accurately identify exactly which kind of attack is present. This enables them to respond more quickly and decisively on a much more consistent basis.
Factor #3: Automation and support
Even if you implement XDR technology from a cybersecurity technology vendor with high-quality threat intelligence, you can still wind up over-burdening SecOps in ways that undermine their productivity and subject them to the same kind of burnout as your EDR-bound peers.
Why? Because you're probably still asking in-house staff for more than is reasonable to ask anyone at their pay grade and experience level. You may still be asking them to respond to more threat indicators than they can handle. And they may have to write their own workflow runbooks, even though their programming skills aren't quite up to snuff. Plus, according to a recent SOC modernization report from ESG, about one-fifth of SOCs don't believe their processes are mature enough to automate.
That's why — in addition to providing you with great threat intelligence operationalized to optimally perform pattern-matching detection across diverse telemetry datasets — you need your XDR vendor to directly address the issue of SecOps staff overload. One who works tirelessly to ensure their own SecOps staff can keep multitudes of customers secure.
Your XDR vendor can do this in several ways, including:
- Response automation. Given the critical importance of detection, it's easy to minimize the “R” in XDR. But that would be a mistake. Detection is only of value if you can respond appropriately to what you detect. And one way to ensure that your responses are fast, effective, and labor-efficient is automation. So evaluate your strategy for continuously expanding your automated response to true-positive alerts.
- Prompt expert support. Every minute counts while SecOps waits for an answer from their XDR vendor. So you have to factor promptness of access to seasoned cybersecurity analysts into your XDR value calculations. Ideally, expert staff should be available via chat within one minute right from your XDR solution, using the same console for transparency and real-time collaboration when desired.
- Managed detection and response (MDR). Today, 85% of organizations now use managed services for a majority or a portion of their security operations, while 88% are increasing their use of those services2. Most do so because they need their limited security staff to focus on more strategic tasks than day-to-day SecOps, and/or they simply believe that their service provider has the personnel to do a better job than their in-house staff. MDR is thus a compelling option for combining the complementary benefits of XDR and managed services.
As cyberattacks continue to intensify — and as the environment you're called upon to defend continues to grow and change — you can't afford to waste time chasing false positives or to take too long responding to true positives. That's why I encourage you to pursue mitigation efficiency in every way possible.
And remember: Here at Secureworks, we can help.