MSSPs Wasting Time on False-Positive Security Alerts
Managed security services providers (MSSPs) are wasting time and resources processing useless security alerts, and many often either reduce the sensitivity of security equipment or ignore alerts altogether.
That’s according to a new survey by Advanced Threat Analytics (ATA). The company polled nearly 50 MSSPs to evaluate the state of incident response within their security operations centers (SOCs).
Advanced Threat Analytics’ Alin Srivastava
Alin Srivastava, ATA’s president, tells Channel Partners that redundant and benign alerts cause the most problems for MSSPs, The most surprising aspect of the survey was the fact that MSSPs “readily admit to ignoring alerts for a service they are being paid for by customers who are entrusting their security to those MSSPs,” he said.
“This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours – in some cases, more than five – each day investigating them, many of which turn out to be false-positives,” he said. “Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents.”
Nearly half (44 percent) of respondents report a 50 percent or higher false-positive rate, with 22 percent reporting a 50-75 percent false-positive rate, and 22 percent reporting between 75 and 99 percent.
Nearly 45 percent of respondents investigate 10 or more alerts each day, according to the survey. Nearly two-thirds (64 percent) said, on average, it takes 10 minutes or more to investigate each alert, including 11 percent who said it takes 30 minutes or more.
When asked what they do if their SOC has too many alerts for analysts to process, respondents said they: tune specific alerting features or thresholds to reduce alert volume (67 percent); ignore certain categories of alerts (38 percent); turn off high-volume alerting features (27 percent); and hire more analysts (24 percent).
“The most effective way for MSSPs to break free from ‘alert tyranny’ is to invest in technology that decreases the number of incidents generated, rather than in traditional SIEM and incident-orchestration solutions, which only reduce the time it takes to investigate each one,” Srivastava said.
When respondents were asked what they feel is the main responsibility of their job: Seven in 10 (70 percent) said analyzing and remediating security threats; 20 percent said limiting the number of alerts sent to clients for review; 5 percent said investigating as many alerts as possible; and the remaining 5 percent said reducing the time it takes to investigate a security alert.
“When analysts are no longer bogged down in an unmanageable number of alerts, they can focus on what they were hired to do — mitigate risk by identifying true threats and responding quickly,” Srivastava said.
ATA’s Alert Classification Platform and Mobile SOC allows incident responders to analyze and triage alerts anytime and anywhere.
Critical Start is an ATA MSSP partner. The (ATA platform) is an “integral” part of its managed detection and response business, said Joshua Maberry, its director of security operations.
“The platform enables us to use security tools, such as endpoint detection and response platforms like Carbon Black, without having to set thresholds or arbitrarily reduce alerts to make it manageable,” he said. “ATA enables my team to identify the known good behaviors of a system and remove them from the queue. The team can also go one step deeper by working with our clients to identify their specific known good, such as home-grown applications and/or privileged users who are authorized to use tools that flag as malicious, to further reduce the noise and false-positive events that contribute to alert fatigue and analyst burnout.”
