Earlier this month, SOAR vendor Demisto released its "The State of SOAR Report, 2018.” In that report, Demisto states that (page #4):
Alerts Continue to Rise
Research found that security teams are facing over 174,000 alerts per week on average and are able to review only around 12,000 of them. The chief sources for this alert fatigue were a proliferation of security tools (46% of respondents stated that their security tools generated too many alerts) and a shortage of experienced analysts (79% of respondents highlighted ‘not enough people’ as a key SOC challenge). A direct outcome of rising alert volumes was felt in high MTTR (Mean Time to Respond), with research finding that it took an average of 4.35 days to resolve an incident.
While I could cynically say that this data is a bald attempt by the vendor to increase its SOAR product sales, let’s give Demisto the benefit of the doubt. There is likely another factor at work here. What Demisto does not discuss is what percentage of those 174K alerts/week are false positives (FPs) that are simply wasting persons’ time? Or, at least of the 12K alerts/week that are actually reviewed are determined to be FPs? In other words, besides a need for SOAR, there is a huge need for far better detection capabilities. Those better detection capabilities not only need to do a far better job a discerning false positives, but also need to do a much better job at discovering false negative and provide much better contextual information to aid analysts’ investigations.
In that same report, Demisto also states that (page #4):
Organizations continue to face challenges in hiring, training, and retaining security personnel. Our research found that it took an average of 8 months to train new security analysts; despite this, a quarter of employees were likely to end up leaving within 2 years. In this scenario, SOAR tools should aim to both fill personnel gaps and make existing analysts’ jobs easier and more fruitful.
While I certainly agree with Demisto’s assessment of this problem, there is again an alternative approach. In addition to a need for better detection, there is a need to institutionalize those better detection capabilities, rather than the tribal knowledge that exists in many organizations today. Let’s face it, that need to institutionalize that knowledge is critical due to the churn in security analysts, brought on by the boring and tedious chasing of FPs. That institutionalization of detection knowledge is exactly what PatternEx has done with its Virtual Analyst Platform. Transfer learning is an important component of institutionalized knowledge. And PatternEx’s autocorrelation feature is another capability to help analysts with their investigations. In addition to SOAR, you should check out PatternEx’s improved detection capabilities!