Security Alert Overload Plaguing Cybersecurity Pros, Creating Risks

Security alerts consistently bombard cybersecurity professionals, which means they could miss legitimate, serious alerts.

That’s according to CriticalStart’s third-annual Security Operations Center (SOC) survey. CriticalStart polled 100 SOC professionals across enterprises, MSSPs and MDR providers.

Nearly half (47%) of respondents reported personally investigating 10-20 security alerts each day. That’s a 12% increase from 2019. Moreover, one in four (25%) said they investigate 21-40 security alerts each day. That’s up from 14% the year prior.

Randy Watkins is CriticalStart‘s CTO.

Critical Start’s Randy Watkins

“What caught our attention was the shift in types and priority level of alerts,” he said. “Much of the shift can be attributed to the fact that the complexity of today’s work environment has changed significantly compared to a year ago. The rapid migration to remote work shifted the level of exposure, while much of the corporate world struggled to respond with the appropriate level of protection. This gap was exploited by targeted ransomware attacks and large nation-state level campaigns.”

False Positives

Other key findings include:

• Nearly 70% of respondents said 25%-75% of the alerts they investigate on a daily basis are false positives.
• Almost half said they turn off high-volume alerting features when there are too many alerts for analysts to process. As a result, they could miss legitimate, serious alerts.
• Ninety-five percent now report receiving more than 10 hours of training each year.

The high volume of false positives inevitably leads to countless hours wasted, Watkins said. It also opens the door to real threats that security pros either miss or flat-out ignore.

“SOC professionals are inundated with alerts,” he said. “There is a shortage of professionals and there are too many alerts for an analyst to work through all of them, much less get ahead in an effort to focus on more strategic efforts.”

The remote work trend is significant, Watkins said. However, it likely only accelerated and exacerbated security trends that were in motion prior to the pandemic.

“Although these shifts were already well underway, there is no doubt that the staying power of COVID-19 has altered the security landscape, resulting in changes and impacts that will continue to be felt long into the future,” he said.

The COVID-19 Effect

Additionally, CriticalStart examined the impact of COVID-19 on the cybersecurity industry during 2020. Key takeaways include:

• Two-thirds (66%) reported seeing an increase in alerts since the known spread of COVID-19 began last March.
• Eighty-nine percent said they had been forced to work remotely as a result of COVID-19.
• Four in five (80%) reported taking steps to change the security of their organization due to COVID-19-induced remote work.

“Respondents indicated a renewed focus on training in 2020,” Watkins said. “This could be due to COVID-19, as security team members likely had more time to focus on online training. Within cybersecurity, we are also seeing more MSS providers and professional services companies offering training to customers. They are also requiring more training within MSSP organizations. This could be due to more organizations realizing the need to amp up their offensive and defensive security strategies.”

In addition, CriticalStart gauged the impact of 2020 on the cybersecurity labor market.

“This proved to be a bright spot for the year, as respondents indicated turnover was remarkably similar to 2019 in spite of the economic and business challenges posed by the ongoing pandemic,” Watkins said. “While it would be reasonable to expect an increase in turnover due to COVID-19, security professionals may be seeking stability and not considering a job change in the current economic climate. These figures could also be due to the critical importance of cybersecurity during the dramatic increase in the global remote workforce. “