Digital transformation makes organizations reconsider their approach to the security of their processes and operations. As the complexity of the sources and inputs increases, so do vulnerabilities. This requires that companies create dedicated entities to ensure compliance and protect sensitive information. Hence the role of Network Operations Center (NOC) and Security Operations Center (SOC).
A few years back, a report by ENTERPRISE MANAGEMENT ASSOCIATES shows that 4 in 5 teams are feeling overwhelmed. Their job is to monitor different tools which are not communicating with each other so that the same attack can trigger different alerts. A SOC team can get over 10000 alerts a day, for a larger organization, up to 1 million in these situations.
Considering this volume of daily operations, using intelligent systems is a problem of how not of if or when.
NOCs and SOCs alerts flow
While the NOC helps prevent downtime and strives to have optimal network performance, the SOC deals with cyberattacks and threats by constantly investigating, monitoring, analyzing, and solving issues. These teams monitor an organization’s internet networks, cloud usage, servers, websites, VPNs, Wi-Fi access points, and more.
Both these support teams need to perform in almost real-time to identify and contain problems before getting out of hand. To stay on top of the potential threats, most organizations rely on automatic security tools which trigger alarms every time a possible warning appears.
However, the volume of processed data by these monitoring tools soon translates into alert fatigue. The truth is that most alerts are just simple warnings and don’t have a real threat behind them; it could be just an activity peak. To decide if an alert should be escalated, it needs to be put into perspective, requiring context.
Using context is mandatory in cybersecurity since the more data you have, the more accurate you can be in your predictions. Looking at a problem from multiple perspectives, such as the compromised assets, the source of the attack, targets, and other attributes, can make the difference between noise and actual threats.
A few years ago, this was the job of NOC/SOC team members, but it is already overwhelming and inefficient. Innovative AI-based solutions are entering the market to reduce alert noise and provide some relief for engineers.
The alert fatigue is primarily found in sectors keen on technology adoption. Organizations in finance, healthcare, and IT have accumulated many defense mechanisms against various threats over time. The only problem is that installing more tools to prevent attacks that generate alerts is now becoming part of the problem instead of the solution.
How many alerts can a SOC handle?
Most SOC teams are drowning in alerts and notifications. A recent New Bay Dynamics study showed that 64% of threats are ignored, and 52% need manual reprioritization. Taking into consideration that these percentages apply to thousands of alerts, the perspectives are frightening.
Even an entire dedicated team of cybersecurity specialists can soon become swamped by so many alerts, which could make sense from a technical perspective, but are irrelevant.
The solution is to perform event correlation and reduce the number of alerts by consolidating the same triggers into a single warning. An algorithm powered by machine learning looks at past attacks and learns the patterns of each type of threat: malware, trojans, DDOS, and many more. This solution usually reduces the volume of alerts by 50-80%.
After the alerts are consolidated, they need to be prioritized according to their risk level. At this step, all the false positives need to be eliminated.
The next level is to perform actual threat detection and escalate those alerts which require dedicated attention from the security specialists. In this case, a ticket is created automatically and delivered to the competent team.
The trivial alerts can be handled automatically by the system following a predetermined protocol for that situation. For example, in the case of a network overload, the system can temporarily allocate more resources to that specific task.
In these initial tiers of the triage solution, critical decisions are made. By creating security playbooks, SOC teams can reduce their daily workload. A playbook can speed up the system’s performance by automatically categorizing incidents and asking just for the confirmation of a specialist. Once the request is approved, if the activity is marked as malicious, the system automatically performs a designated routine such as blocking the IP or Signing Out the user from the account.
When choosing a solution to reduce SOC & NOC alerts, look for tools that can offer good integration with the organization’s existing tools and provide an opportunity to give real-time insights about data collected from all of these (see Siscale website for full info).
Can AI do total alert triage?
The short answer is no; it still needs human supervision and continuous monitoring. Using AI for alert triage does not make the NOC and SOC teams obsolete. It removes the tedious work of investigating false positives and saves them a lot of time which can be better invested in analyzing the real threats.
In today’s organizations, there is a shortage of cybersecurity specialists. They can use any help they can get, and an AI-based triage system can make the difference between information paralysis and a well-managed security system.
However, the cybersecurity engineers’ role remains unchanged when mitigating risks, minimizing damage, and creating policies to prevent future attacks.
Those specialists who are worried that they might be out of their jobs due to artificial intelligence (AI) should think about it as a tool and, at most, an assistant, not a competitor.
Most organizations that already use machine learning to minimize alert fatigue report higher productivity and higher well-being of their workers, with lower stress levels and more time for internal innovation.
Using AI-powered alert triage is considered an innovation and favored mainly by large organizations already swamped in alerts. As IoT rises and becomes mainstream, these tools will be more and more necessary even for regular office management. AI alert triage systems will become common add-ons for different verticals, including logistics, healthcare, manufacturing, and energy.