Most orgs struggle to manage alerts and vulnerabilities: Here’s how to fix it

Keeping up with modern threats isn’t easy, particularly when your security team has to manage 11,000 alerts per day.

A new ESG study by Kaspersky titled, SOC Modernization and the Role of XDR, was released earlier this week and revealed that 70% of organizations struggle to keep up with the volume of alerts generated by security analytics tools. 

Yet, it’s not just the explosion in security alerts that are impeding the productivity of security teams. It is also the number of vulnerabilities discovered that is overwhelming — with 28,695 discovered last year alone — a number too high for even the most well-resourced security team to mitigate. 

In the face of such a high volume of emerging vulnerabilities, it’s no surprise that NopSec’s latest report found that 70% of security professionals believe their vulnerability management program is only somewhat effective. So, how can organizations address these challenges head-on? 

Fixing alert sprawl 

For years, the high volume of alerts generated in the security operation center (SOC) from security tools has remained one of the biggest pain points that security analysts face. 

Analysts are often pressured to keep tabs on dozens of tools that are all generating their own unique alerts. Only a small portion of these notifications are useful and relate to active security incidents, while many are simply false positives.  

Research shows that 45% of all daily security alerts are false positives, which take up so many contact hours that 75% of enterprises report their organization spends an equal amount, or more time on false positives than on legitimate attacks. 

When it comes to addressing alert sprawl, Sergey Solodatov, head of SOC at Kaspersky, says that enterprises need to use automation to optimize their detection and response processes. 

“Automation at all stages of alert processing will help here,” Solodatov said. “For example, at our SOC, we have a patented AI-powered auto analyst that learns from an analysis of the history of alerts processed by the SOC analyst team.”  

He notes that the “auto analyst” is the first line of Kaspersky’s SOC, which has helped to reduce the number of false-positive alerts sent to the company’s SOC team for analysis by half. 

“For alerts that should be processed by the SOC team, it is necessary to create tools for their automated processing so that the SOC analyst can conveniently and quickly investigate the alert: quickly obtain the necessary additional information and visualization of attack stages,” Solodatov said. 

Climbing the mountain of vulnerabilities 

When trying to keep pace with the ever-growing number of security vulnerabilities, the answer for enterprises may lie in risk-based prioritization. 

One of the key findings from NopSec’s report was that 58% of professionals say they don’t use a risk-based rating system to prioritize vulnerabilities. These organizations have inefficient vulnerability management processes that are failing to secure high-risk vulnerabilities first. 

“The reality is that most organizations are drowning in vulnerability overload. Too many vulnerabilities, not enough context, and not enough manpower leads to these ineffective programs,” said CEO of NopSec, Lisa Xu. 

“Without the right kind of tool to provide real context and make sense of the thousands of vulnerabilities plaguing organizations, the battle is lost from the start,” Xu said. 

For Xu, the answer is for organizations to gather greater context over the severity of vulnerabilities present throughout their environment by using vulnerability management solutions with risk ratings. 

This way, security teams can prioritize the remediation of critical vulnerabilities first, rather than patching systems on an ad-hoc basis. 

Taking SOC operations to the next level 

Whether managing alerts or vulnerabilities, across the board, there is a dire need for security teams to pursue operational excellence. In practice, that not only means proactively mitigating and eliminating entry points to their environments, but also ensuring they have the intelligence and the visibility needed to spot intrusions. 

Kaspersky recommends organizations encourage security teams to work shifts in the SOC to avoid overworking staff and distributing tasks to reduce the likelihood of burnout. 

At the same time, the organization recommends deploying threat intelligence services that provide low-maintenance intelligence feeds that integrate with existing security tools like security information and event management (SIEM) systems. This helps provide greater visibility over the threat landscape and helps automate the triaging process. 

These measures can then be combined with managed detection and response (MDR) or extended detection and response (XDR) services to ensure that the organization has the processes in place to respond to live incidents fast. 

Ultimately, the answer to alert and vulnerability sprawl is to work smarter, rather than harder.