A recent CriticalStart study sheds light on the impact of alert overload on security operations centers (SOCs) and their staff. The survey found that only 41% of SOC employees still consider their main task to be analyzing and remediating security threats, compared to 70% last year. The majority of security analysts now define their job in the context of security alerts, with respondents citing one of the following core responsibilities:
- Reducing the time it takes to investigate a security alert (25%)
- Investigating as many alerts as possible (18%)
- Limiting the number of alerts sent to clients for review (13%)
Almost two in three (65%) SOC analysts investigate over 10 security alerts per day on average, compared to 45% last year. On average, a single alert takes over 10 minutes to investigate, and close to half of all analysts expose at least half of all alerts they investigate as false positives. In order to deal with alert overload, companies are pursuing the following strategies:
- Tune specific features or thresholds to reduce alert volume (57%)
- Ignore certain categories of alerts (39%)
- Turn off high-volume alert features (38%)
- Hire more analysts (38%)