Cybersecurity continues to be an ongoing and important conversation; however, we must move beyond commentary to consider the new reality of today’s networks and endpoint sprawl. This means drilling down into what security teams genuinely need. It’s only when we adapt to the changing nature of attackers and the network that we can best serve security operations centres (SOCs) and protect organisations.

Uncovering the defender’s dilemma - asking security analysts directly
Vectra AI recently commissioned a report based on a survey of 2,000 IT security analysts. The State of Threat Detection report confirms the hypothesis that threat detection and response is a fundamentally broken model when used in hybrid enterprises of today.

Asking a series of questions regarding SOC analysts’ daily experience, Vectra’s researchers highlighted the truth about alert fatigue, inaccurate perceptions of detection technology, and the increased chance of compromise.

A key finding of the report is the discrepancy between what SOC analysts think of their detection tools, and what their tooling can do for them.

The global report finds 91% of SOC analysts believe their detection technology is effective. However, the report also finds SOC teams receive an average of 4,484 alerts per day, and 67% of these alerts are ignored. On top of this, 97% of those surveyed worry they will miss a relevant event because they simply cannot respond to every alert.

The report calls attention to SOC analyst’s frustration with security tooling, with 34% of ANZ specific respondents claiming that security tools are purchased as a box-ticking exercise to meet compliance requirements, and 44% wishing IT team members consulted them before investing in new products. Furthermore, 37% said they were sick of vendors selling new security products that add to the number of alerts, rather than improving threat efficacy.

SOC teams experience growing stress – calling out inadequate tooling in a talent shortage
It’s hardly surprising that in such a situation, many security employees are considering quitting not only their job but the whole profession.

The report states 58% of ANZ security analysts are considering leaving or are already actively leaving their job. According to the research, these security professionals believe they’re spending all their time sifting through alerts, experiencing unabated stress, and are frustrated by their tooling. They also think that they’re doing the work of multiple people, and that working in the security sector isn’t a sustainable career.

This damaging combination of alert fatigue, inadequate tooling and unhappy security teams is exactly what will help attackers succeed in their nefarious missions. We must act now and equip security teams with effective solutions that don’t add additional pressure, instead provide much needed support.

Saving SOC analysts from alert fatigue and burnout - integrating attack signals
Security operations centres must modernise, going beyond endpoint detection and response, and SIEM limitations, to gain signal clarity and target real threats. Luckily, tooling exists that is designed to filter out excess noise and track hacker behaviour more holistically and accurately, taking into consideration the entire hybrid infrastructure. This enables SOC teams to prioritise genuine attacks and respond quickly.

Modern cyber security technologies enable SOC teams to leverage automation and AI-driven threat detection to remove manual tasks and pinpoint attacks with greater clarity. Focusing their time on what will ultimately protect the organisation.

A real-world example of this is a recently reported Microsoft vulnerability that was caught by our own AI-driven detections. As identified by Vectra AI, the vulnerability enabled an attacker to operate in a compromised tenant (customer) and abuse a misconfigured Cross-Tenant Synchronisation (CTS), effectively gaining access to other connected customers. CTS is a new feature from Microsoft that enables organisations to synchronise users and groups from other source customers and grant them access to resources (both Microsoft and non-Microsoft applications) in a target tenant.

This abuse of trust relationships and weak configurations is exactly where active monitoring for detection and response shines. The time is now to move away from dated signature-based technology and preventative-only measures, turning the spotlight instead on how best to secure the whole hybrid network. The powerful combination of AI-powered security tooling and managed security services greatly reduces the burden on SOC teams and enhances an organisation’s security measures.

To read Vectra AI's full report, click here.