Security analysts, flooded by false positives, need advanced automation tools: report

The tech upgrade is seen as vital for reinforcing cybersecurity posture and addressing the widespread 'alert fatigue' phenomenon 

Photo: Bigstock

Citing a report released this week, cybersecurity company FireEye said security analysts are becoming less productive due to widespread "alert fatigue" resulting in ignored alerts, increased stress, and fear of missing incidents.

"The Voice of the Analysts: Improving Security Operations Center Processes Through Adapted Technologies" was based on a survey of 350 internal and managed security service provider (MSSP) security analysts and managers. The report was issued by global market intelligence company IDC.

"Security analysts are being overwhelmed by a flood of false positive alerts from disparate solutions while growing increasingly concerned they may miss a true threat," said Chris Triolo, Vice President of Customer Success at FireEye. "To solve these challenges, analysts are asking for advanced automation tools, like Extended Detection and Response, which can help reduce the fear of missing incidents while strengthening their SOC's cybersecurity posture."

Security analysts were found to continue to feel the pressure of increased alerts, spending almost half their time on false positives. FireEye said that while analysts and IT security managers receive thousands of alerts every day, respondents indicated 45 percent of the alerts are false positives, making in-house analysts’ jobs less efficient and slowing workflow processes. To manage alert overload in the SOC, 35 percent of this group said that they ignore alerts.

In addition, the survey found that managed security service providers spend even more time sifting through false positives, and they ignore more alerts. MSSP analysts indicated that fifty-three percent of the alerts they receive are false positives. Meanwhile, 44 percent of analysts at managed service providers said they ignore alerts when their queue gets too full, which could lead to a breach involving multiple clients, the company said.

According to the findings, fear of missing incidents (FOMI) is impacting a majority of security analysts and managers. As analysts experience more challenges managing alerts manually, their worry of missing an incident also increases. Three in four analysts are worried about missing incidents, and one in four worry "a lot" about missing incidents. Yet, this FOMI is plaguing security managers even more than their analysts, with more than six percent of security managers reported losing sleep due to fear of missing incidents, according to FireEye.

Analysts were found to need automated SOC solutions to combat FOMI. Less than half of enterprise security teams are currently using tools to automate SOC activities. Less than half of respondents use artificial intelligence and machine learning technologies (43 percent), Security Orchestration Automation and Response (SOAR) tools (46 percent), Security Information and Event Management (SIEM) software (45 percent), Threat Hunting (45 percent), and other security functions. In addition, only two in five analysts use artificial intelligence and machine learning technologies alongside other tools, the company said.

To manage their SOCs, security teams were said to need advanced automated solutions to reduce alert fatigue and improve success by focusing on more high-skilled tasks like threat hunting and cyber investigations. When ranking the activities that are best to automate, threat detection was the highest (18 percent) on the analysts’ wish list, followed threat intelligence (13 percent) and incident triage (9 percent), according to FireEye.