Fidelis Report Reveals Most Security Alerts Not Triaged by SOCs

Security Operations Centers are unable to respond to most of the alerts that are received and lack proper metrics as well as security control integration, according to a study commissioned by Fidelis Cybersecurity.

SoC security

Fidelis Cybersecurity released its State of the SOC (Security Operations Center) report on March 21, providing insights into the current state of IT security operations.

The 16-page report was conducted by 360Velocity for Fidelis and exposes a number of shortcomings in modern SOCs. Among the highlights of the report is the finding that a high percentage of alerts are not addressed each day.

"The research found that 83 percent of surveyed companies do not even triage half of their alerts and only 6 percent triaged 75 percent or more alerts per day," Sam Erdheim, vice president at Fidelis Cybersecurity, told eWEEK. "The sheer volume of alerts that goes unaddressed each day speaks volumes about SOC inefficiencies and ultimately what is missed each and every day."

There are multiple reasons why organizations do not investigate most of the security alerts received. One reason, according to the Fidelis report, is volume, with 60 percent of SOC analysts reporting that they are only able to handle seven to eight investigations a day.

One way to help boost efficiency in SOC operations is by integrating different security controls, but unfortunately that's not happening in most SOCs. Fidelis' report found that 70 percent of survey respondents said that at least half of their security controls were not integrated. Erdheim noted that there are certain controls that, when integrated into an SOC, can help improve response.

"A key security integration point is with breach detection and EDR [endpoint detection and response] products," he said. "For example, with the capabilities integrated, an alert from the breach detection system could be prevalidated on the endpoint, allowing for faster alert triaging and response."

Automation is another key element that can improve SOC operations. Erdheim said automating tasks such as combining similar alerts can save tremendous time by reducing duplicate efforts. He added, however, that in his view actual investigations should stay with human analysts.

Metrics

There are many different metrics used by SOCs to measure the efficiency of incident response operations. According to the study, 80 percent of respondents held the view that the metrics they use are "not effective" or "had room for improvement."

Erdheim noted that there are several common metrics used by SoCs today that he has seen Fidelis customers use, including average investigation process time, percent of alerts triaged per day, time to respond and remediate a breach/threat, and average cost per incident investigated.

"Metrics that show the alert coverage [i.e., alerts triaged vs. abandoned] is a key one as we have seen how many are ultimately abandoned, and that's a metric that is easily trackable and which can be improved upon," he said. "More strategic metrics revolve around how many investigations, or what percent of investigations were completed with a conclusion, and number of investigations that led to reprioritization of security approach."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.