SOC Teams: Threat Detection Tools Are Stifling Us

Security operations center (SOC) practitioners are struggling, thanks to an overwhelming volume of false alarms from their security tools.

A Vectra survey of hundreds of cybersecurity professionals revealed a serious gripe that SOC teams have with their software vendors. The overwhelming volume of false positives their tools yield is causing burnout, they say, and allowing real threats to slip through the noise.

"There wasn't that much of a change from last year's results, and honestly it wasn't much of a surprise," says Mark Wojtasiak, vice president of research and strategy at Vectra AI. "SOC practitioners are clearly still frustrated with threat detection tools. And, really, what the data tells us is that, more than a threat detection problem, SOC teams have an attack signal problem. The promise of consolidation and platformization have yet to take hold, and what SOC teams really need is an accurate attack signal."

What Does the SOCs Say? Ding Ding Ding

SOCs ingest an average of 3,832 security alerts per day. For a sense of just how unmanageable that might be, consider that an average SOC might be staffed by a few dozen people, or just a few, depending on the size of the organization and its investment in security.

The result: 81% of SOC staffers spend at least two hours a day simply sifting through and triaging security alerts. It's no wonder, then, that 54% of Vectra respondents said that, rather than making their lives easier, the tools they work with increase their daily workloads, and that 62% of security alerts ultimately just get ignored.

Of course, SOC operators are aware of the implications of ignored security warnings. A full 71% reported worrying every week that they'll miss an attack buried in a flood of less important alerts. And 50% went so far as to say that their threat detection tools are "more hindrance than help" in spotting real attacks.

The conflict between what operators are dealing with, and what they can handle, is fostering genuine resentment toward vendors. Around 60% of respondents reported that they've been buying security software mostly just to tick a compliance box, and 47% don't trust these programs outright. A similar percentage (62%) believe that vendors are intentionally, cynically flooding them with alerts so that when a breach occurs, they're more likely to be able to say: We warned you!

A majority (71%) of SOC practitioners say that vendors need to take more responsibility in failing to prevent breaches.

How AI Can Make SOCs More Efficient

The most attainable, practical promise of artificial intelligence (AI) is that it will reduce the tedium associated with repetitive jobs, and bolster productivity. And more so than most, SOC staffers stand to benefit from exactly that.

In fact, Wojtasiak says, AI is the path to a whole mindset shift. "Security thinks in terms of individual attack surfaces: I have a network, endpoints, identities, email, now generative AI (GenAI). OK. I'm going to go buy tools to do threat detection across those siloed attack surfaces, then ask a human being to make sense of it all. That's how security thinking has fundamentally been for the past 10 years," he says.

"Modern attackers," he continues, "just see one, giant attack surface that they can move around in. So why isn't security thinking the same way? Why aren't we looking at threats holistically across the entire attack surface, using AI to piece together detections that are indicative of attacker behavior, correlating those detections, and then giving one integrated signal to the SOC analyst?"

Plenty of SOCs are already starting to do just that. About 67% of Vectra survey respondents found that AI is already improving their ability to identify and defend against threats, and 73% claimed that that's helped ease their feelings of burnout. Nearly nine in 10 respondents have already boosted their investments in AI, and are planning to go further.

"I'm [already] hearing about the positive outcomes they're experiencing as they introduce these new tools — reduced workloads, less burnout, and less sprawl," Wojtasiak reports. "The hope is that current frustrations will ease as siloed legacy tools are replaced by AI-powered tools capable of delivering an accurate attack signal."