By John Dominguez February 19, 2021
Here’s some food for thought:
- 88% of organizations worldwide experienced spear phishing attempts in 2019.
- Between January 1, 2005, and May 31, 2020, there have been 11,762 recorded breaches.
- Security breaches have increased by 11% since 2018 and 67% since 2014.
The sheer number of cyberattacks launched against organizations every year is massive and growing. If you’re a security analyst working in a SOC or security team, tasked with defending your organization, that means you’re getting bombarded by many more attacks than the recorded numbers above would suggest. These attacks translate into security alerts — fired from your various security tools — that you must investigate and resolve.
That’s a lot of alerts — likely more alerts than your team can handle every day. In fact, analyst firm Enterprise Management Associates (EMA) conducted a study of security operations in late 2019 and found that 64% of security tickets generated per day are not being worked. In other words, a majority of security alerts received by security teams each day are not being analyzed and resolved.
EMA also found that the sheer number of alerts isn’t the only problem. Many security tools lack the ability to prioritize alerts for you. 46% of incidents are automatically classified as “critical” alerts, but in fact, only about 1-5% of alerts should be categorized as “critical”. This means that security teams aren’t properly allocating their time to address the most critical alerts first. EMA also found that 30% of alerts are false positives. That’s a lot of time spent on alerts that don’t matter.
What does all of this mean? Security teams are overwhelmed, and a broken security operations process is only making life harder for the SOC.
But there is a way to go from “overwhelmed” to “in-control” of your security operations, and it’s through automation. By automating alerting, investigations, and incident response, security teams can free themselves from the burden of monotonous, repetitive security tasks, and free up time to focus on more mission critical tasks. Through automation, they can investigate and respond to alerts faster, with limited or no human interaction. In fact, security teams that used a SOAR tool identified an average efficiency improvement of 48%, and a productivity improvement of 53%. And an overwhelming 97% of respondents (in the EMA study mentioned previously) agreed that a SOAR tool allowed for increased workload maintaining the same number of staff.
If you’re ready to see how automation can help your security team chart a new path forward, we encourage you to spend 30 minutes to learn more about Splunk’s Security Orchestration, Automation, and Response (SOAR) tool. In the webinar “Splunk Phantom in Focus”, we provide a comprehensive overview, and deep-dive, showing how automation from Splunk can modernize your SOC and strengthen your defenses.