It’s easy to forget that cybersecurity is fundamentally about people. Attacks are launched by threat actors, phishing emails are opened by employees, and it is your SecOps team that has to try and detect and respond to increasing volumes of these threats. As good as technology systems are, we haven’t got to the point where all of this defensive work can be automated. So what happens when your most precious resource, your security team, feels overwhelmed by their workload?
According to new research from Trend Micro, it’s a question an increasing number of organisations are facing—but few have a satisfactory answer to. The reality is that under pressure SecOps teams need better tools to correlate and prioritise alerts, so they can work more efficiently.
On the back foot
Trend Micro’s global study is based on interviews with 2,303 IT security decision makers in 21 regions working in organisations of all sizes. We found that three-quarters (74%) of them are already dealing with a breach or expecting one within the year.
It’s not hard to see why. Today it’s a case of “when not if” your organisation is breached. It’s simply too easy for attackers to phish, crack or buy employee credentials off the dark web. Once inside they can use legitimate tools to move laterally across corporate networks without being spotted. They have a readymade underground market on which to sell stolen data. And the affiliate ransomware sector is thriving: we detected a 34% year-on-year increase in new ransomware families in 2020.
At the same time, SecOps teams are under-resourced and many may still be working from home, with all the distractions that entails. The daily threat of major breach-related financial and reputational damage hanging over their work is immense.
Taking its toll
Over the years, organisations have amassed a large number of point products to deal with the escalating cyber-threat—all of which generate alerts. But there’s little in the way of co-ordination and correlation of these signals. We found that over half (51%) of SecOps teams feel overwhelmed by alerts, rising to 54% for those working in Security Operations Centres (SOCs). Even more (55%) admitted they aren’t confident in their ability to prioritise or respond to these alerts. The result: on average SecOps spends 27% of its time dealing with false positives.
This doesn’t just have an impact on the organisation’s ability to defend itself. It’s taking a real toll on those on the frontline. Around 70% of respondents told us they feel emotionally affected by their work. The pressure has become so great that many have:
- Ignored alerts completely and worked on something else (40%)
- Walked away from the computer feeling overwhelmed (43%)
- Turned off alerts (43%)
- Assumed an alert was a false positive (49%)
- Hoped another team member would step in to help (50%)
Technology can help
Cybersecurity might be a people business, but without the right tools to help them, those people will be unable to work effectively. That’s why platforms like Trend Micro Vision One are important. It’s a purpose-built threat detection solution that goes beyond most XDR offerings to correlate alerts across emails, servers, cloud workloads and networks. Crucially, it’s able to prioritise these alerts so that SecOps users know where to focus their efforts for an optimised, accelerated response.
By providing access to intelligent systems like Vision One, security leaders can not only reduce attacker dwell time and cyber-risk, but also improve the job satisfaction and wellbeing of their employees. At a time of chronic industry skills shortages, that’s reason enough to take a fresh look at threat detection and response.