Too Many Security Alerts, Not Enough Time: Automation to the Rescue

It’s 2020, which means it’s time to look back at 2019 and reminisce about the good times – fun with family and friends, good food, travel, and memories to last a lifetime.

Who am I kidding? Everyone remembers the bad stuff. The increasing impacts of climate change; relentless fires in the Amazon, California, and Australia; political and social unrest around the globe; and the last season of Game of Thrones. Jon Snow... you still know nothing.

In cybersecurity, we look back at the numbers. The average cost of a data breach was $3.9 million.ⁱ 4.1 billion records were breached in the first half of 2019.ⁱⁱ Security breaches have increased by 11% since last year.ⁱⁱⁱ

Unfortunately, all of these attacks translate into more security alerts for the cybersecurity team to investigate and resolve. These alerts fire from various security tools deployed in a security team’s environment – SIEMs, endpoint security, firewall, email security, etc. Typically, these alerts don’t contain a lot of detailed information, which means the analyst has to manually investigate each alert to understand the threat and then remediate it. This takes time – 10, 30, sometimes 40 minutes per alert depending on the severity.

The problem? There are too many security alerts coming in, and not enough people and time to deal with them all. In fact, approximately 64% of security tickets^iv generated per day are not being worked. Let that sink in. The majority of security alerts received by security teams are not being analyzed and resolved. This is the essence of “alert fatigue”. Security teams cannot address every alert, which makes them more vulnerable. It only takes one successful attack (one un-scrutinized security alert) to turn into a mega breach.

What’s worse is that security alerting is also inefficient. According to a 2017 study by Enterprise Management Associates (EMA)^v, 46% of incidents are automatically classified as “critical” alerts, but in fact, only about 1-5% of alerts should be categorized as “critical”. Also, EMA reports that 30% of alerts are false positives. Add this all up and that’s a lot of wasted time spent on alerts that don’t really matter.

But, there’s hope! Automating security alert triage can save analysts thousands of hours and millions of dollars per year. More importantly, automation can more efficiently scrutinize security alerts to weed out false positives and less critical alerts – all within seconds as opposed to 10 minutes or more per alert if done manually. This results in smarter, more comprehensive breach prevention for the business, and frees up analysts from the deluge of alert triage so they can focus on mission critical tasks to protect the business from nation-states and other attackers.

Splunk Phantom is a Security Orchestration Automation & Response (SOAR) tool that can automate alert triage to better secure your business and force multiply the effectiveness of security analysts. At Splunk’s annual user conference, .conf19, many customers explained how Splunk Phantom revolutionized their approach to security. Here are their stories.

^{i https://www.ibm.com/security/data-breach
ii https://www.forbes.com/sites/daveywinder/2019/08/20/data-breaches-expose-41-billion-records-in-first-six-months-of-2019/#1033d4f7bd54
iii https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
iv https://www.splunk.com/en_us/form/an-enterprise-management-associates-research-report.html
v A Day in the Life of a Cyber Security Pro; ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) Infobrief. Authored by David Monahan. April 2017}