Manage alert fatigue and minimise 'quiet quitting'

Vectra AI

By Chris Fisher, Director of Security Engineering, Vectra AI, APJ
Monday, 28 August, 2023


Manage alert fatigue and minimise 'quiet quitting'

While evolving cloud technologies offer businesses enhanced opportunities across many areas of operations, the added security risks of hybrid infrastructure are leaving security teams struggling with increased alert fatigue, which could heighten the chance of a breach.

Cybersecurity continues to be an ongoing and important conversation; however, we must move beyond commentary to consider the new reality of today’s networks and endpoint sprawl. This means drilling down into what security teams genuinely need. It’s only when we adapt to the changing nature of attackers and the network that we can best serve security operations centres (SOCs) and protect organisations.

Uncovering the defender’s dilemma — asking security analysts directly

Vectra AI recently commissioned a report based on a survey of 2000 IT security analysts. The State of Threat Detection report confirms the hypothesis that threat detection and response is a fundamentally broken model when used in hybrid enterprises of today.

Asking a series of questions regarding SOC analysts’ daily experience, Vectra’s researchers highlighted the truth about alert fatigue, inaccurate perceptions of detection technology, and the increased chance of compromise.

A key finding of the report is the discrepancy between what SOC analysts think of their detection tools, and what their tooling can do for them.

The global report finds 91% of SOC analysts believe their detection technology is effective. However, the report also finds SOC teams receive an average of 4484 alerts per day, and 67% of these alerts are ignored. On top of this, 97% of those surveyed worry they will miss a relevant event because they simply cannot respond to every alert.

The report calls attention to SOC analysts’ frustration with security tooling, with 34% of ANZ specific respondents claiming that security tools are purchased as a box-ticking exercise to meet compliance requirements, and 44% wishing IT team members consulted them before investing in new products. Furthermore, 37% said they were sick of vendors selling new security products that add to the number of alerts, rather than improving threat efficacy.

SOC teams experience growing stress — calling out inadequate tooling in a talent shortage

It’s hardly surprising that in such a situation, many security employees are considering quitting not only their job but the whole profession.

The report states 58% of ANZ security analysts are considering leaving or are already actively leaving their job. According to the research, these security professionals believe they’re spending all their time sifting through alerts, experience unabated stress and are frustrated by their tooling. They also think that they’re doing the work of multiple people, and that working in the security sector isn’t a sustainable career.

This damaging combination of alert fatigue, inadequate tooling and unhappy security teams is exactly what will help attackers succeed in their nefarious missions. We must act now and equip security teams with effective solutions that don’t add additional pressure, instead providing much-needed support.

Saving SOC analysts from alert fatigue and burnout — integrating attack signals

Security operations centres must modernise, going beyond endpoint detection and response, and SIEM limitations, to gain signal clarity and target real threats. Luckily, tooling exists that is designed to filter out excess noise and track hacker behaviour more holistically and accurately, taking into consideration the entire hybrid infrastructure. This enables SOC teams to prioritise genuine attacks and respond quickly.

Modern cybersecurity technologies enable SOC teams to leverage automation and AI-driven threat detection to remove manual tasks and pinpoint attacks with greater clarity, focusing their time on what will ultimately protect the organisation.

A real-world example of this is a recently reported Microsoft vulnerability that was caught by our own AI-driven detections. As identified by Vectra AI, the vulnerability enabled an attacker to operate in a compromised tenant and abuse a misconfigured Cross-Tenant Synchronisation (CTA) configuration, effectively gaining access to other connected tenants or deploying a rogue CTS configuration to maintain hold of the tenant.

This abuse of trust relationships and weak configurations is exactly where active monitoring for detection and response shines. The time is now to move away from dated signature-based technology and preventative-only measures, turning the spotlight instead on how best to secure the whole hybrid network. The powerful combination of AI-powered security tooling and managed security services greatly reduces the burden on SOC teams and enhances an organisation’s security measures.

Image credit: iStock.com/simarik

Related Articles

Emergency onboarding: what to do before and after a data breach

Organisations that have an emergency onboarding plan are better positioned to have their business...

Savvy directors are demanding more points of proof when cyber incidents occur

Pre-agreement on what a post-incident forensics effort should produce — and testing it out...

Cyber-attack prevention is better than a cure

Corporate and political decision-makers need to invest in areas that do a better job of...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd