Hand reaching for glasses against backdrop of data showing security analysts working on security automation

Burdened by False Positives, Security Analysts Report Increased Stress Created by Security Automation Tools

Security automation is increasingly becoming a necessity in order to keep up with the breadth and volume of cyber threats, but it is not without its unique costs and added challenges.

According to a new report from IDC and FireEye, security analysts report significant increased stress on the job driven by the fear of missing alerts. The central issue is the increased amount of false positives generated by security automation software, leading to “alert fatigue” among the security team as each alert could represent a devastating threat yet there is not enough time to manually address them all.

Security analysts struggle with cyber threat volume

The report finds that 45% of the thousands of alerts that security analysts receive daily are false positives, and unsurprisingly 35% of the organizations surveyed report that they are ignoring some of them when queues get too full. This is not due to a lack of diligence, however; almost 75% of the security analysts surveyed say that they worry about missing an incident due to failure to respond to an alarm, and 25% say that they worry “a lot” about this possibility. And for good reason; missing just one key alert could lead to a data breach that impacts thousands to millions of customers, in turn leading to major fines and class action lawsuits. A Ponemon Institute study suggests that the average cost of a mishandled incident is about $3.86 million. Only 8% of respondents reported not worrying at all about missed alerts.

Only 30% of organizations say that they have recruited more security analysts in response to the increased volume of alerts generated by security automation tools. And only about 50% have added machine learning tools that automatically investigate alerts to the organization’s deck of security measures.

Non-service providers are over twice as likely to hire new security analysts to deal with the volume of security automation alerts. But for both types of organizations, the most common move is usually to tune policies to ignore certain types of alerts and/or reduce the overall alert volume. Extremely few are turning off notifications entirely, indicating that organizations would prefer to manually address as many alerts as possible but simply do not have the resources to do so.

Security automation creates issues, also provides answers

While security automation puts more pressure on analysts to work faster and more efficiently than ever, it also provides the tools to address the increased volume of alerts that are generated.

The need for security automation is slightly greater among service providers, where an increased scope of visibility tends to lead to a larger amount of false positives. Service providers find that 53% of their alerts turn out to be false positives, as compared to 45% for IT security managers and analysts. There are also some differences in prioritizing items to be automated between the two groups. Service providers are most concerned about automating internal and external reporting (28%) and alert response (11%). IT security analysts would prefer to automate detection measures (18%) and triage (9%). But all groups have a general interest in automating the full detection-reporting-response process to free up the security team to spend more time on higher-level tasks such as threat hunting.

Though the desire is there, implementation is lagging. Only two out of five security analysts surveyed say they are presently using artificial intelligence or machine learning tools as part of security systems to manage and investigate alerts. Those that have already onboarded these tools have a fairly even distribution of types in addition to AI and machine learning: security orchestration automation and response (SOAR) tools, security information and event management (SIEM) software, threat intelligence platforms, scripting and threat hunting tools.

Outsourcing to managed security service providers is also a common option. All groups list Tier 2 monitoring as their most frequently outsourced aspect of security operations. IT security managers are more likely to outsource security technology deployment and threat hunting/intelligence, while security analysts more commonly also outsource Tier 1 monitoring to these services.

FireEye sees an expanded scope of security automation, to include alert screening and response, as increasingly becoming a necessary norm rather than an optional luxury. Even if false positives can be entirely weeded out by a good machine learning tool, the number of legitimate cyber attack attempts has soared with the changes brought on by the Covid-19 pandemic. Remote work is expected to be the new normal even after the pandemic subsides, and this has opened up many new avenues for enterprising hackers. Obviously, this is not the scenario in which any organization wants the data security team to be overburdened and bogged down with a deluge of menial tasks.