Security analysts working in the Security Operations Center (SOC) face a serious dilemma: Fear of Missing Incidents (FOMI). Being on the frontline of cybersecurity, analysts know how damaging it could be if your organization is breached. Not only is it costly—$3.86 million on average Ponemon Institute study—but it also can hurt the company’s reputation and put it in violation of any number of data privacy regulations.
Yet, security analysts have an impossible job. Every day they have to sift through hundreds or thousands of alerts—45% of them false positives—and find the potential incidents that could create the biggest risk impact. That’s a lot of pressure, and it’s having an adverse effect on analysts.
The constant flood of these alerts, of which nearly half are false positives, and the worry about FOMI leads to burnout. Analysts are always worried about what they missed, what they failed to notice in the logs. Or maybe we've tuned our environment to the point where we can no longer see all of them. Whatever is causing the problem, analysts are feeling overwhelmed, but adding more people isn’t going to solve it. Humans aren’t going to scale to the enormity of the problem. The only valid approach to keeping the organization secure while avoiding analyst burnout is automation.
Losing Sleep Over FOMI
Three out of four analysts are worried about missing incidents, according to the Voice of the Analysts study from IDC. Six percent of those analysts are worried enough that they are losing sleep over FOMI.
“Many of the folks on the front line take it personally when they miss incidents,” said Christina Richmond, Program Vice President, Security Services with IDC. “And they worry a lot.”
But what’s interesting is what they do in response to that worry. If they get too many alerts, some people just ignore them, and that makes things worse. “Think of it, if you’re juggling 25 balls in the air, you’re going to drop one,” Richmond said. “Same thing with alerts. If you have thousands of alerts, you either have to tune your policy to better handle them, which only gets you so far, or you have to hire more analysts, which is difficult to do because there is a skills shortage, or you have to ignore them. And if you ignore them, you’re letting down yourself as an analyst, or there’s the potential for a major incident that becomes a breach.”
FOMI Is a Problem for MSSPs Too
Analysts in the SOC aren’t the only ones losing sleep over missed incidents. FOMI is a real problem for MSSPs, too. They approach the problem differently than the internal SOC—MSSPs are more likely to tune policies to reduce alert volume, while enterprise tends to hire more people, for example—but the MSSPs are essentially trying to do the same job with less visibility into their customers’ networks. This puts the service provider at a greater disadvantage. MSSPs have their share of anxieties over missing incidents because it can hurt their reputation. On the other hand, if they are able to catch an incident before any damage is done, the MSSP can put a positive spin on it and make themselves look like a hero to their customer.
Service providers and SOC analysts each have their own challenges to overcome, said Richmond. “Service providers need more help with the reporting. Analysts need help with detection and triage.” Service providers are hired to help hundreds of clients and not just their organization, she said, “so they have this additional burden of reporting.”
The stark realization of FOMI is a shortage of humans and an overabundance of alerts. It’s supply and demand, said Richmond. If you don’t have enough people, there’s a demand to find something to fill that skill set. At the same time, you have adversaries who are well skilled and well financed, and they are going to continue to overload the network with attempted attacks.
Automation allows us to do what isn’t humanly possible, in this case manage thousands of alerts efficiently and effectively (and without analyst burnout). Technologies like SOAR, SIEM and threat hunting platforms are the tools most commonly deployed by analysts to help alleviate FOMI. However, automation is the only real valid approach to dealing with the alert volumes.
Leveraging technology to preprocess triage and response has become necessary to detect only those alerts that are potentially malicious. That’s one reason why two in five analysts have moved to the next step in automation--adopting AI and ML to improve the workflow beyond standard automation solutions. Analysts say they most want to be able to automate response and detection abilities. That's where eXtended Detection and Response (XDR) comes into play. Analysts are excited to talk about XDR because it's addressing a problem that no other solutions have been able to address successfully. XDR stitches together all the pieces that create an incident in a much more complex way, using dozens of factors instead of just a few.
FOMI is real for analysts in the SOC and for MSSPs. Analyst burnout is also real. In the Voice of the Analyst, this is what analysts—not CISOs—are telling us, and leadership needs to listen so teams can find the best solutions, the best mix of human and technology, to solve the problem of alert overload. That way everyone can get a good night’s sleep.
Keep the conversation going. Join the live FireEye webinar, “Fear of Missing Incidents – The Battle for Security Analysts,” on March 25 at 11 am PT. Download the IDC InfoBrief, sponsored by FireEye, “The Voice of the Analysts,” Doc. #US47227621, January 2021.