Survey Highlights the Need for Automation to Manage Security Alerts

Continuous intelligence (CI) is essential in situations where actionable insights must be derived from real-time data in milliseconds to seconds. A prime use case for CI is decision support and analysis automation of security alerts. That’s been the case for a while. But the need for automated help is now ever-more critical with cyberattacks on the rise and corporate boundaries being pushed into every employee’s home due to the pandemic.

See also: Using Continuous Intelligence for Decision Support and Automation

A recent Dimensional Research survey, sponsored by Sumo Logic, put the issues into perspective. The survey included 427 IT security stakeholders in organizations with at least 1,000 employees. It found that IT security staff simply cannot keep up with the volume of security alerts organizations receive every day.

Specifically, 56% of companies with more than 10,000 employees must deal with more than 1,000 security alerts per day. Most companies have seen increases in security alerts. Seventy percent of the companies surveyed have seen the volume of security alerts more than double in the past five years.

The challenges are likely to get exacerbated by current work conditions. “You increase the attach surface due to COVID,” said Greg Martin, General Manager of the Security Business Unit at Sumo Logic. 

He noted that you have workers and executives using their computers on the same networks as their families. This potentially exposes secure systems to vulnerabilities. “You’re pouring a clean glass of water into a dirty glass of water,” he said.

Overwhelmed with Alerts

Most respondents, 93% of the companies, said they could not address all the security alerts they receive on the same day. And 83% said their security staff experiences alert fatigue.

Such a situation is doubly bad. Lacking the bandwidth, security staff can only do their best in the time available. Certainly, they would focus most of their energy on the highest-level alerts. But therein lies a problem.

Ignoring attacks classified as low-level because there is not enough time or staffing power to get to them opens companies to problems. The reason: Many hackers use compounded and advanced persistent threat (APT) attacks. Essentially, compounded attacks use multiple, small, and less detectable attacks over time. Such an attack might start with a phishing attempt. The result might be the installation of malware or the stealing of credentials. Similarly, an APT attack would have the hacker gains access to a system and remain there for an extended period of time without being detected.

How Automation and CI can Help

Simply put, organizations are being overwhelmed with security alerts. What’s the best way to deal with the situation?

One way would be to add more staff. The survey found that 75% of the companies said they would need three or more additional security analysts to address all alerts the same day. Many companies are not likely to boost their staff, given the current economic conditions.

Instead, most (92%) believe automation is the best solution for dealing with the large volume of alerts. The idea here is to use real-time analysis of the alert data. One use of CI would be to classify and examine every alert. A more advanced use would be to spot patterns and make predictions. For example, these three low-level alerts, encountered in this order, are precursors to this type of attack.

How effective is automation? Twice as many security teams with high levels of automation (65%) resolve most or all alerts the same day compared to those with lower levels of automation (only 34%), according to the survey’s findings.