As organizations began to rely more heavily on networking to carry out their operations over the past decade, IT teams added security analyst positions. These professionals focused on network security and providing regulatory compliance oversight.
Over time, the role of the security analyst has expanded to include threat hunting tasks. That is, evaluating security platform alerts to determine which are true, positive threats and which are false positives.
The result has been an erosion of job satisfaction, a widening gap between open and filled security analyst positions, and, ultimately, network environments that remain vulnerable to breaches and hacks.
The False Positives Problem in Cybersecurity
False positives, much like false alarms triggered by perimeter security systems, point to threats that turn out to be non-threatening behaviors. They create excess noise for busy security teams.
False positives can include software bugs, unexpected network traffic, and changes in user behavior. For example, the recent shift to telecommuting during the Coronavirus pandemic has significantly impacted expected network behavior. SIEM platforms around the world are surely keeping SecOps teams busy with associated false positive alarms.
Threat hunting is time-consuming and expensive. According to the Ponemon Institute, enterprises spend $1.3 million and waste over 21,000 hours every year dealing with false positives. Security analysts spend as much as 25 percent of their time (15 minutes of every hour) chasing these dead-end alarms.
Why all the false positives? It turns out that the Security Information and Event Management (SIEM) platforms organizations invest in so heavily can’t accurately analyze the gray area between truly suspicious behavior and false positives. These platforms trigger on behavior that seems potentially worrisome as a default, leaving the real decision-making up to the SecOps team.
Worse, security teams often wind up conditioned to ignore false positives. When “alert fatigue” sets in, teams begin to miss authentic threats, sometimes with catastrophic results.
The Shifting Role of the Security Analyst
As SIEM platforms have become part of the fabric of many corporate infrastructures, the role of the security analyst has fundamentally shifted. SIEM platforms add automation to the threat detection process to help steer analysts to vulnerabilities and suspicious events. However, these systems notoriously trigger on false positives analysts must investigate.
The result is a system where security analysts are spending a great deal of time sifting through an endless stream of SIEM alerts to track down genuine threats. The opportunity cost of these diverted human resources is impossible to calculate, but it is undoubtedly substantial. Organizations also face the cost of analyst churn—burnout is all too real in the SecOps field.
SecOps teams that have fewer hours to devote to other security tasks are merely trading one threat for another. Fewer hours in a day for essential security functions like configuration maintenance, security patching, and hardware updates, no doubt, leads to a less secure environment overall.
The truth is that unless a security platform has an authentic and intricate understanding of a network’s baseline, it can’t distinguish real threats from organically changing network behavior. Security analysts become more stressed as their roles become inundated with highly redundant, repetitive, exhausting tasks.
MixMode is helping organizations improve the way SecOps teams utilize advanced security technology to better secure and protect vital networks. Download our new whitepaper to learn how.