Security Information and Event Management Platforms (SIEM) have gradually become the center of SOC operations. They create different and relevant security detections/alerts that security analysts have to evaluate. Usually, a tier 1 analyst performs the initial triage of SIEM alerts and escalates high-priority ones to tier 2 or tier 3 for more thorough threat hunting. Tier 2 and 3 analysts will use additional tools such as centralized log management and analytics platform to hunt for anomalous activity that could date back months. The goal is to identify which actions the SOC team should take now, how to stop a breach and how to prevent one in the future.
To assist the SOC team in quickly investigating and responding to security issues, new tools like Security Orchestration, Automation, and Response (SOAR) assist security analysts on a daily basis to automate repetitive tasks. While it is great to automate lots of low-level tasks and has great potential, it also comes with a few challenges. Primarily, security analysts have to know what to automate. For example, “if there are too many brute force logins, then lock down account” is not effective automation. Analysts are reluctant to automate these responses because they lack confidence in the analysis and subsequent automation activity.
The gap between detection and response characterizes the manual effort required by security analysts to investigate each alert in order to either dismiss it as false positive or consolidate the details of an attack to remediate it accurately.
When a security alert arrives, a security analyst will ask…
Security teams are constantly facing these challenges. Unfortunately, their ability to review each alert and fully investigate potential threats is limited by the time-consuming effort that each alert requires. Consequently, security teams ignore early threat activity, only triaging high priority alerts which increases the risk of missing attacks. What’s more, in a recent report by Forrester Research, on average, internal security operations teams receive over 11,000 alerts per day and more than 50% are false positives. Analysts’ time is wasted chasing “false positives” and manual operations. It causes “alert fatigue,” a common experience in SOC centers.
Many companies and organizations have experienced alert fatigue. What is the right way to measure the damage properly? Here are a few factors that we should take into consideration when measuring the damage caused by alert fatigue.
If breached, the average cost of an incident is around $3.86 million dollars according to a report from IBM. Not to mention the Kaseya hackers demanded $70 million ransom and Colonial Pipeline paid a $5 million ransom to the attackers.
You can easily calculate the wasted time on investigating false positives which could be spent on important tasks instead. The more time they spend fixing false alerts, the less your organization benefits from their talent and experience.
Eventually, employees may wear out due to the number of alerts they need to address. When employees burn out, it could lead to more errors and more missed alerts. If more employees burn out, it could significantly impact employee retention and company culture.
DTonomy invented the solution to enable security analysts to reach a conclusion on false-positive quicker and reduce the risk of missing true positives on your existing security detections. How does it work? Let’s do a side-by-side comparison.
Instead of replacing existing threat detection capabilities and workflows, DTonomy has integrations with SIEM and SOAR platforms. DTonomy complements these tools and your log analytics solution used for threat hunting so that it fits into your environment seamlessly.
By seamlessly fitting into existing alert triage and threat hunting/investigation workflows, DTonomy bridges the gap between detection and response, saving security analysts time and augmenting their existing workflows.
Check out the Blog: Addressing Noisy Security Detections — A Complete Solution
Check out the DTonomy’s AI Engine: DTonomy AIR Engine
Check out the Blog: Security Alert Fatigue
Join Slack Channel to learn more.
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!