Suffocating Volume of Security Alerts Challenge Incident Response

Study Shows Many Companies Ignore Majority of Security Alerts

A new study shows that incident response (IR) has become more difficult over the past two years due to an increasing number of IT activities and security alerts, and the difficulty of extending existing IR processes to new technologies.

The research, conducted in early 2016 by security automation and orchestration company Phantom and IT analyst and business strategy firm Enterprise Strategy Group (ESG), is based on responses from 125 IT and security professionals involved in incident response processes and technologies.

More than two-thirds of respondents said it has become increasingly difficult for enterprises to handle incident response over the past two years. The main factors are the increasing number of IT activities, additional security management and incident detection technologies requiring more time and effort to conduct IR, more security alerts and an increased difficulty in prioritizing them. A quarter of respondents also attributed this trend to the increasingly specialized skills needed for incident response.

The study shows that 74 percent of large enterprises regularly ignore some security alerts as they seek to prioritize investigations and manage their security team’s workload. Worryingly, 31 percent of respondents admitted ignoring at least half of all security alerts due to their inability to keep up with the large volume.

The biggest challenges for many professionals involved in incident response are monitoring IR processes from end-to-end, keeping up with the high volume of security alerts and external threat intelligence, the lack of integration of IR tools, maintaining the required skills, the skill gap between junior and senior incident responders, and coordination between IT and security teams.

Executives seem to be aware of the risks posed by incident response issues, with 80 percent stating that they plan on increasing IR spending over the next two years. A majority of organizations have already started automating and orchestrating incident response processes, or at least they have shown interest in doing so.

CISOs believe automation and orchestration could be the key to solving many challenges. The IR strategies outlined by executives include providing specialized training to IT and security staff, automating IR tasks as much as possible, and hiring more personnel.

Security teams indicated that IR automation and orchestration could help them automate simple remediation tasks, formalize workflows, and lead to improved integration of security tools.

The respondents of this study are from North American companies with 1,000 to more than 20,000 employees, in sectors such as financial services, manufacturing, communications and media, business services, and retail/wholesale.

Joshua Goldfarb, VP and CTO of Emerging Technologies at FireEye, has analyzed incident response trends and techniques in several SecurityWeek columns. According to the expert, alert fatigue and lack of context are the two primary factors that hamper the ability of security professionals to make informed decision.

“Although the security operations and incident response community is currently weighed down by alert fatigue and a lack of context, I am hopeful for the future. Granted, the extent to which vendors are able to deliver against this set of expectations, as well as the extent to which organizations are able to successfully leverage this capability operationally remains to be seen,” Goldfarb wrote in a recent column. “Even with this cautionary note, I still see tremendous potential for security orchestration and automation solutions. One thing is for certain — the status quo cannot continue. The alert-driven model for security operations just isn’t working anymore for anyone.”

Related: Incident Response – Work Smarter Not Harder

Related: The Most Important Thing About A Decision