Are MSSP Incident Responders Overwhelmed by False-Positive Alerts?
Most MSSP incident responders waste resources processing false-positive security alerts, according to a survey of nearly 50 MSSPs conducted by security orchestration technology provider Advanced Threat Analytics (ATA).
Key findings from the ATA survey included:
- 44 percent of survey respondents report a false-positive security alert rate of 50 percent or higher.
- Nearly 45 percent investigate 10 or more alerts each day.
- 64 percent require an average of 10 minutes or more to investigate each alert.
In addition, many MSSP incident responders spend five hours or more daily investigating security alerts, most of which are false positives, ATA President Alin Srivastava said in a prepared statement. This frequently compromises security effectiveness, Srivastava stated, and prevents security analysts from responding to actual threats and incidents.
Alert Overload Creates Problems in Many Areas
Alert overload, i.e. an issue that occurs when incident response teams are inundated with thousands of security alerts per day, has far-flung effects on MSSPs.
When asked what they do if their security operations center (SOC) has too many alerts for security analysts to process, 67 percent of ATA survey respondents said they tune specific alerting features or thresholds to reduce alert volume. Also, 38 percent of respondents ignore certain categories of alerts, 27 percent turn off high-volume alerting features and 24 percent hire additional analysts.
What Is an MSSP Incident Responder’s Primary Responsibility?
Seventy percent of ATA survey respondents said analyzing and remediating security threats is their main responsibility. Comparatively, 20 percent indicated their primary responsibility involves limiting the number of alerts sent to clients, and the remaining respondents said they are responsible for investigating as many alerts as possible or reducing the time it takes to investigate an alert.
To address alert overload, MSSPs should avoid traditional security information and event management (SIEM) and incident orchestration technology that reduces the amount of time it takes to investigate each security alert, Srivastava noted. Instead, MSSPs should invest in technology that reduces the number of incidents generated.
ATA Unveils Alert Classification Platform
ATA in October introduced the Alert Classification Platform, a cloud- and subscription-based offering designed to help MSSPs reduce alert overload, according to a prepared statement.
The Alert Classification Platform uses a combination of network data, customer-specific patterns, white-list data and crowdsourced event-reduction playbooks to help MSSPs analyze network traffic and behavior, ATA said. By doing so, the platform helps MSSPs identify cyber threats faster than ever before.