Laura
02/11/2023
Why do 67% of SOC analysts feel like a new job or even a new career sounds like a good idea right now?
The reason: alerts. Or, to be more specific, the fact that the time it takes for SOC analysts to deal with security alerts and tickets exceeds the amount of time they have available.
The name for this phenomenon is alert fatigue. It’s a malaise shared by almost every managed or in-house SOC where disparate tools like SIEMs, NDRs, EPPs, etc., collect logs from various protected environments and use signatures and rules to match them to likely threats.
Fortunately, fixing SOC alert fatigue is possible.
Some SOCs could certainly create better remediation workflows, but as a general rule, every SOC could benefit from these three technological improvements in how security alerts are created, correlated and shown to analysts.
1. Normalise Log Data Into a Single Format
In a typical SOC, data is presented to analysts from a wide range of sources, including tools like EDRs, NDRs, and IPS and IDS systems. Each tool produces different, disparate data points, and it is up to the analyst to pull this information together and make sense of alerts.
Unfortunately, this is not an easy thing to do. In a 2022 Devo SOC Performance Report, nearly 1 in 3 security professionals said “information overload” makes working in a SOC “painful.” A similar number quoted “too many tools” as the reason their SOC is ineffective.
SenseOn’s proprietary cross-platform software program called “Universal Sensor” solves this problem by collecting data from across an organisation’s entire environment (endpoints, servers, databases, and the cloud) in a single format.
This results in significantly higher quality data and fewer blind spots as analysts have full context into any suspicious user/device/network behaviour. They can know what data is flowing inside and around the network and why, as well as by whom the network request is being generated. All this information can be seen on a single pane of glass, too.
This capability also means that organisations can reduce the number of tools they have to rely on. SenseOn combines EDR, NDR, UEBA, and SOAR into a single platform and can augment existing SIEM tools.
2. Model Typical User and Device Behaviour
To improve alert quality and reduce investigation time, SOC teams need to constantly fine-tune alert rules. However, as any security professional knows, finding enough time for configuration when there are many other competing priorities will always be a struggle.
Enterprise SIEMs typically have 12% of their rules broken, according to research by CardinalOps. These rules will never fire due to issues like misconfigured data sources or missing fields.
Even when rules run as they’re supposed to, they’ll still miss threats that have never been seen before while alerting you to activity that is normal behaviour.
Rather than rely on rules alone, SOC teams should also look at integrating user and entity behaviour analytics, or UEBA, into their security stack. A technology that uses machine learning, UEBA can determine what normal behaviour looks like in your organisation specifically and then flag anything that doesn’t conform to this baseline.
This baseline isn’t static. The SenseOn platform, which is equipped with UEBA, adapts continuously to changes in your company’s environment.
3. Automate Data Correlation and MITRE ATT&CK Mapping
In a recent CyberRisk Alliance survey, fewer than 1 in 5 IT and cyber security decision-makers and influencers said they are very satisfied with their ability to correlate data across security products and services.
SOCs can benefit from tools like SenseOn that do correlation automatically. Rather than firing off an alert anytime it comes across anomalous behaviour, SenseOn notes this behaviour as an “Observation” and then looks at it in conjunction with data from other sources to see if there’s a correlation and if it matches real-world hypotheses.
If the Observation proves to be benign, SenseOn records it as a false positive but does not surface it for analysts’ attention (it’s there for analysts to look at it in their own time if they want to).
In cases where an Observation appears genuine (i.e., part of an attack chain), it is turned into a “Case” with all other related Observations that indicate an incident is in progress. Each Case is mapped visually, displaying the relationship between impacted devices and events.
Cases are also plotted against the MITRE ATT&CK framework with a link to the MITRE site for further information and are prioritised based on the data available.
Reduce SOC Alert Fatigue with SenseOn
It might not be possible to eliminate false positives or the need for manual triage altogether, but it is certainly possible to reduce alert fatigue in your SOC.
Built explicitly to solve the security data problem (i.e., the inability to connect network and endpoint activity at source), SenseOn helps organisations identify the threats hiding among the noise.
Contact us to learn more.