Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Suffocating Volume of Security Alerts Challenge Incident Response

Study Shows Many Companies Ignore Majority of Security Alerts

A new study shows that incident response (IR) has become more difficult over the past two years due to an increasing number of IT activities and security alerts, and the difficulty of extending existing IR processes to new technologies.

Study Shows Many Companies Ignore Majority of Security Alerts

A new study shows that incident response (IR) has become more difficult over the past two years due to an increasing number of IT activities and security alerts, and the difficulty of extending existing IR processes to new technologies.

The research, conducted in early 2016 by security automation and orchestration company Phantom and IT analyst and business strategy firm Enterprise Strategy Group (ESG), is based on responses from 125 IT and security professionals involved in incident response processes and technologies.

More than two-thirds of respondents said it has become increasingly difficult for enterprises to handle incident response over the past two years. The main factors are the increasing number of IT activities, additional security management and incident detection technologies requiring more time and effort to conduct IR, more security alerts and an increased difficulty in prioritizing them. A quarter of respondents also attributed this trend to the increasingly specialized skills needed for incident response.

The study shows that 74 percent of large enterprises regularly ignore some security alerts as they seek to prioritize investigations and manage their security team’s workload. Worryingly, 31 percent of respondents admitted ignoring at least half of all security alerts due to their inability to keep up with the large volume.

The biggest challenges for many professionals involved in incident response are monitoring IR processes from end-to-end, keeping up with the high volume of security alerts and external threat intelligence, the lack of integration of IR tools, maintaining the required skills, the skill gap between junior and senior incident responders, and coordination between IT and security teams.

Executives seem to be aware of the risks posed by incident response issues, with 80 percent stating that they plan on increasing IR spending over the next two years. A majority of organizations have already started automating and orchestrating incident response processes, or at least they have shown interest in doing so.

CISOs believe automation and orchestration could be the key to solving many challenges. The IR strategies outlined by executives include providing specialized training to IT and security staff, automating IR tasks as much as possible, and hiring more personnel.

Advertisement. Scroll to continue reading.

Security teams indicated that IR automation and orchestration could help them automate simple remediation tasks, formalize workflows, and lead to improved integration of security tools.

The respondents of this study are from North American companies with 1,000 to more than 20,000 employees, in sectors such as financial services, manufacturing, communications and media, business services, and retail/wholesale.

Joshua Goldfarb, VP and CTO of Emerging Technologies at FireEye, has analyzed incident response trends and techniques in several SecurityWeek columns. According to the expert, alert fatigue and lack of context are the two primary factors that hamper the ability of security professionals to make informed decision.

“Although the security operations and incident response community is currently weighed down by alert fatigue and a lack of context, I am hopeful for the future. Granted, the extent to which vendors are able to deliver against this set of expectations, as well as the extent to which organizations are able to successfully leverage this capability operationally remains to be seen,” Goldfarb wrote in a recent column. “Even with this cautionary note, I still see tremendous potential for security orchestration and automation solutions. One thing is for certain — the status quo cannot continue. The alert-driven model for security operations just isn’t working anymore for anyone.”

Related: Incident Response – Work Smarter Not Harder

Related: The Most Important Thing About A Decision

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.