The automation hype is real for SOC teams: unpacking the Dimensional Research “2020 State of SecOps and Automation” report

As more and more enterprises shift to the cloud, the pressure on SOC teams to protect them against threats rises exponentially. They are the very first line of defense against data breaches and cyber threats that become more frequent and more sophisticated. Increased investment of security tools results in unprecedented volumes of security data and alerts, and while SOCs do what they can to decipher the meaningful from the meaningless, they often become the bottlenecks of the enterprise’s security architecture.

In this article, I will cover:

• The realities of threat detection, as indicated in our recent Dimensional Research report
• The situation for automation
• Alternatives to better address today’s SOC challenges

The realities of threat detection

Today, organizations adopt a vast array of detection tools and a myriad of intelligence feeds in pursuit of improved threat detection. Is this strategy effective? In most cases, unfortunately, it isn’t. A majority of organizations end up with task lists they are unable to process, which only amplifies the risk.

In order to better understand the current experiences and attitudes of IT security professionals at large companies, we asked Dimensional Research to survey 427 security stakeholders across the globe from companies with at least 1,000 employees and a significant public cloud investment. Some of the findings were surprising and others - not so much. Here’s what we found:

a. Organizations are facing large volumes of alerts

As much as 70 percent of companies studied have reported that the number of security alerts they receive on a daily basis has at least doubled over the past five years. And 1 out of 4 SecOps teams (24%) witnessed a dramatic increase of more than 10 times their previous alert volume! This means organizations are literally drowning in alerts, which makes detection of real threats more challenging than ever before. It also means there is a higher risk of overlooking valid warning signs in all of that noise.

We also asked the survey participants what they thought was the reason for this increase. 57% of the security experts blamed their increase in security alerts as a direct result of the number of business apps and services they're building and delivering. This further exacerbates the problem by expanding their attack surface. And the increase in the use of cloud infrastructure is also blamed for the increase in alerts. I believe SOC teams around the globe are discovering this causality and now find themselves trying to stop this vicious cycle.

Some additional data points:

• 67% indicated all the new and evolving threats are the biggest part of the problem
• 60% said it's the effect of deploying new security monitoring and control tools, which I suspect organizations are adding to try to defend against the new and evolving threats.

What’s wrong with a large number of alerts? Don’t stop reading, because we didn’t know definitively until we saw this report for ourselves...

b. Too many alerts creates complex problems downstream

Contrary to a common belief that more alerts mean greater visibility, most enterprises report problems rather than benefits stemming from large volumes of alerts. 99% of the security teams surveyed observed multiple issues related to receiving high volumes of security alerts, including:

• Missing major issues that are hidden in the noise,
• Wasting time chasing down false positives, and
• Taking too long to triage alerts.

We also learned having too many alerts is likely why 93% of security teams cannot address all of their security alerts in the same day. 31% of the security pros said they can barely get to about half of their alerts each day. Unfortunately, there is so much at stake in cyberspace that even one unaddressed alert can bring grave and irreversible damage. And what happens to all of the alerts these SOC teams couldn’t get to last week, or yesterday, or tomorrow?

The real shocker to me from this research were the responses when asked how many additional security analysts would be needed to help address their security alert problem. Amazingly, 75% of the enterprises said they would need to hire at least three additional security experts to investigate all of their security alerts each day.

This is eye-opening since most organizations cannot afford to do so or simply struggle to find the right talent, lest we forget the ongoing cybersecurity skills gap and resource shortage is yet another part of the story. Hiring simply isn’t the right solution to this increasing alert problem.

c. “Alert fatigue” is yet another issue to manage.

Out of the companies studied, 83% reported their security teams were dealing with "alert fatigue" from getting so many alerts flooding the SOC each day that security analysts are unable to address all of them. I’d also like to point out the obvious - this isn’t just a security issue, but also an HR issue. 86% of companies revealed they are concerned about the well-being of their security staff, including burnout, high stress levels, or suspect members to be a flight risk. Who will handle the onslaught of alerts when your staff disappears, especially when finding experienced security talent remains yet another challenge? I said it before, and I’ll say it again: enterprise SecOps teams can’t hire their way out of this problem.

The situation for automation

With the array of challenges across the SOC, effective incident response becomes almost impossible. A new approach to SecOps workflows is required in order to surface the real, high priority threats and respond to them immediately.

What are the options? Automation is one of them. Threat detection and analysis efforts that are usually performed by a level three or level four security analyst are some of the most difficult and time consuming for SOC teams to execute. Automation of alert triage and threat analysis can help achieve higher quality downstream response efforts and faster response times.

Many security professionals do see hope in SOC automation. Not long ago, we conducted a Twitter poll that indicated SOC teams believe automated SOC analysis could bring improved productivity. They were also excited about unlimited scalability and enhanced visibility that comes with them. It proves that many of you believe there is great potential in using innovative technology to combat these everyday challenges.

At the same time, automating the workflows traditionally used for processing security alerts is a work in progress for most security teams. Let’s take a look at some statistics from the 2020 State of SecOps and Automation report:

• Only 3% of the enterprises surveyed have completely automated their alert processing workflows;
• 27% consider their workflows highly automated, but,
• 65% are only partially automated, and,
• 5% admit they haven't automated anything yet.

The diagram below further illustrates the differences in this data per organizational size. It clearly shows that the automation hype is real, but smaller and larger enterprise organizations implement it differently. The associated costs could be one of the reasons. You might also infer that the larger the enterprise, the larger their SOC team and thus more resources available for them to take on security automation initiatives.

SaaS SIEM is the best alternative, but additional capabilities desired

Why a SaaS-based SIEM and not the traditional on-prem or cloud-hosted SIEM? This report provided security professionals the opportunity to share the challenges they face most with their existing SIEM tools. In fact, 88% said they’re having challenges. Beyond blaming their SIEMs for delivering too many alerts, 40% say their SIEM tools are too complex to operate and use and 37% feel they lack in providing their analysts with enough context for threat investigations. Further, they do not provide visibility into threats across both their on-prem and cloud environments. Users of traditional SIEM solutions also complain about the costs and lack of scalability.

The best option is to seek out a SaaS SIEM, as evidenced by survey respondents who said they have a SaaS-based SIEM in the chart below. They praise these solutions because they offer scalability, reduce (or eliminate) maintenance and administration costs, and are easier to integrate with existing environments.

Apart from the satisfaction SaaS SIEM owners already enjoy, almost every single security professional in this study (99%) said they would benefit from additional, innovative SIEM capabilities to help them better manage their security alerts and address compliance-based risks. Far and away the highest sought after capability is automated alert triage with actionable insights. More than half (51%) would benefit from having a single solution that can monitor and correlate threats for their entire on-prem and multi-cloud infrastructure. They also want more out-of-the-box content (49%), including pre-built dashboards and rules, to get up and running quicker and to gauge the value of their SIEM investment.

What’s the conclusion? Look for a modern SaaS SIEM that not only offers as many of the above features as possible but one that will provide the real-time security insights and continuous intelligence to address the need for analytics and automation in your SOC.

Thanks for sticking with me as I unpacked these key takeaways from this new research focused around security operations teams and security stakeholders. I encourage you to get your free copy of this report and see all of the other details pertinent to your daily SecOps mission.

You can download the 2020 State of SecOps & Automation report here.

Are you ready for a modern SaaS SIEM? Learn more about Sumo Logic’s Cloud SIEM Enterprise solution here. P.S. - Our solution includes all of those desired capabilities!