Study Shows Many Companies Ignore Majority of Security Alerts
A new study shows that incident response (IR) has become more difficult over the past two years due to an increasing number of IT activities and security alerts, and the difficulty of extending existing IR processes to new technologies.
The research, conducted in early 2016 by security automation and orchestration company Phantom and IT analyst and business strategy firm Enterprise Strategy Group (ESG), is based on responses from 125 IT and security professionals involved in incident response processes and technologies.
More than two-thirds of respondents said it has become increasingly difficult for enterprises to handle incident response over the past two years. The main factors are the increasing number of IT activities, additional security management and incident detection technologies requiring more time and effort to conduct IR, more security alerts and an increased difficulty in prioritizing them. A quarter of respondents also attributed this trend to the increasingly specialized skills needed for incident response.
The study shows that 74 percent of large enterprises regularly ignore some security alerts as they seek to prioritize investigations and manage their security team’s workload. Worryingly, 31 percent of respondents admitted ignoring at least half of all security alerts due to their inability to keep up with the large volume.
The biggest challenges for many professionals involved in incident response are monitoring IR processes from end-to-end, keeping up with the high volume of security alerts and external threat intelligence, the lack of integration of IR tools, maintaining the required skills, the skill gap between junior and senior incident responders, and coordination between IT and security teams.
Executives seem to be aware of the risks posed by incident response issues, with 80 percent stating that they plan on increasing IR spending over the next two years. A majority of organizations have already started automating and orchestrating incident response processes, or at least they have shown interest in doing so.
CISOs believe automation and orchestration could be the key to solving many challenges. The IR strategies outlined by executives include providing specialized training to IT and security staff, automating IR tasks as much as possible, and hiring more personnel.
Security teams indicated that IR automation and orchestration could help them automate simple remediation tasks, formalize workflows, and lead to improved integration of security tools.
The respondents of this study are from North American companies with 1,000 to more than 20,000 employees, in sectors such as financial services, manufacturing, communications and media, business services, and retail/wholesale.
Joshua Goldfarb, VP and CTO of Emerging Technologies at FireEye, has analyzed incident response trends and techniques in several SecurityWeek columns. According to the expert, alert fatigue and lack of context are the two primary factors that hamper the ability of security professionals to make informed decision.
“Although the security operations and incident response community is currently weighed down by alert fatigue and a lack of context, I am hopeful for the future. Granted, the extent to which vendors are able to deliver against this set of expectations, as well as the extent to which organizations are able to successfully leverage this capability operationally remains to be seen,” Goldfarb wrote in a recent column. “Even with this cautionary note, I still see tremendous potential for security orchestration and automation solutions. One thing is for certain — the status quo cannot continue. The alert-driven model for security operations just isn’t working anymore for anyone.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
