Security service providers suffer from false positive alert overload
A new survey of managed security service providers (MSSPs) reveals that they are suffering an avalanche of false positive security alerts.
The study from Advanced Threat Analytics reveals that 44 percent of respondents report a 50 percent or higher false-positive rate, half of those experience a 50-75 percent false-positive rate and the remainder a startling 75-99 percent rate.
Nearly 45 percent of respondents say they investigate 10 or more alerts each day, that breaks down into 22 percent investigating between 10 and 20 alerts each day, 11 percent investigating 20-40 daily, and 11 percent investigating 50 or more.
It takes an average of 10 minutes or more to investigate each alert according to 64 percent. 33 percent say it takes between 10 and 20 minutes to investigate each alert, 20 percent say it takes between 20 and 30 minutes, and 11 percent state it takes 30 minutes or more, which adds up to a lot of wasted effort.
"This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours -- in some cases, more than five -- each day investigating them, many of which turn out to be false-positives," says Alin Srivastava, president of Advanced Threat Analytics. "Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents."
The study also shows that the volume of false alerts is leading to some dangerous compromises. When asked what they do if their operations center has too many alerts for analysts to process, 67 percent of respondents say they tune specific alerting features or thresholds to reduce alert volume, 38 percent ignore certain categories of alerts, 27 percent turn off high-volume alerting features, and 24 percent hire more analysts.
"Many MSSPs are expanding their teams in an effort to keep up with alert volume, which isn't a sustainable model, while others change operational processes, like turning off security features or ignoring certain alerts, which greatly increases the risk that legitimate security events will go undetected," adds Srivastava. "The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated, rather than in traditional SIEM and incident orchestration solutions, which only reduce the time it takes to investigate each one."
You can read out more about the findings in the full report, available from the Advanced Threat Analytics website.