9 in 10 SOC analysts happy with toolkit despite fear of weak defence

Security operations (SecOps) teams are tasked with protecting progressively sophisticated, fast-paced cyberattacks, but the complexity of people, processes, and technology at their disposal is making cyber defense increasingly unsustainable, according to Vectra.

Vectra’s 2023 State of Threat Detection report found that the ever-expanding attack surface combined with evolving attacker methods and increasing SOC analyst workload results in a vicious spiral of more that is preventing security teams from effectively securing their organization. 

Based on a survey of 2,000 SecOps analysts, the report breaks down why the current approach to security operations is not sustainable.

Manual alert triage costs organisations $3.3 billion annually in the US alone, and security analysts are tasked with the massive undertaking of detecting, investigating and responding to threats as quickly and efficiently as possible while being challenged by an expanding attack surface and thousands of daily security alerts. 

The study found that 63% of respondents report that the size of their attack surface has increased in the past three years.

On average, SOC teams receive 4,484 alerts daily and spend nearly three hours a day manually triaging alerts.

Security analysts are unable to deal with 67% of the daily alerts received, with 83% reporting that alerts are false positives and not worth their time.

Despite a majority of SOC analysts reporting their tools are effective, the combination of blind spots and a high volume of false positive alerts are preventing enterprises and their SOC teams from successfully containing cyber risk. 

Without visibility across the entire IT infrastructure, organisations are not able to identify even the most common signs of an attack, including lateral movement, privilege escalation, and cloud attack hijacking. 

The study also found that 97% of SOC analysts worry about missing a relevant security event because it’s buried under a flood of alerts, yet, the vast majority deem their tools effective overall.

Also, 41% believe alert overload is the norm because vendors are afraid of not flagging an event that could turn out to be important.

Further, 38% claim that security tools are purchased as a box-ticking exercise to meet compliance requirements, and 47% wish IT team members consulted them before investing in new products.

Despite the increasing adoption of AI and automation tools, the security industry still requires a significant number of workers to interpret data, launch investigations, and take remedial action based on the intelligence they are fed. 

Faced with alert overload and repetitive, mundane tasks, two-thirds of security analysts report they are considering or actively leaving their jobs, a statistic that poses a potentially devastating long-term impact to the industry. 

The study found that despite 74% of respondents claiming their job matches expectations, 67% are considering leaving or are actively leaving their job.

Of the analysts considering leaving or actively leaving their role, 34% claim they don’t have the necessary tools to secure their organisation.

More than half (55%) of analysts claim they’re so busy that they feel like they’re doing the work of multiple people, and 52% believe working in the security sector is not a viable long-term career option.

David Sajoto, VP of Vectra AI in Asia Pacific & Japan, said firms must focus on the things they can control, which goes beyond the ever-expanding corporate cyber-attack surface or booming threat landscape. 

This means controlling the signal and burnout challenges that SOC analysts are currently facing. Effective security in the SOC doesn’t mean detecting possible threat events but detecting and prioritising real attacks with accuracy.