How Do SOC Teams Effectively Manage Alert Overload?
In our last Super Cyber Friday, "Hacking Alerts: An hour of critical thinking about triaging the deluge hitting your SOC," we explored the challenges SOC teams face in managing alert overload, strategies to reduce false positives and alert fatigue, and the integration of AI and machine learning into the alert triage process. Joining us for this discussion were host David Spark , producer of CISO Series along with Itai Tevet , CEO of Intezer , and Russ Ayres , deputy CISO & head of cyber at Equifax . We also had Dutch Schwartz of SideChannel step in because we didn't think Russ would be able to make it.
HUGE thanks to our sponsor, Intezer
Watch the full video
Next Friday, 10-4-24, "Hacking Job Stagnation"
Join us next Friday, October 4th, 2024, for our Super Cyber Friday, “Hacking Job Stagnation: An hour of critical thinking about what to do when you're stuck in a rut.â€
Did you know that we have an events calendar? Visit our events page to subscribe so you can stay updated on Super Cyber Friday and other CISO Series content.?
领英推è
Best quotes from our guests
“The burnout I see is a real issue. In other domains, there are more flexible ways to rotate people through. I’d love to see that in the SOC, even if just for a day or two to give people decompression time.†- Dutch Schwartz, SideChannel
“Most of the troubles we see is this deluge of alert fatigue… We get new technologies that are showing up all the time. You build some detections in some way. You scope that to exactly the false positive rate that you want. You get everybody involved. You set all the parameters that should be set to get it through the rest of your triage process. And then you get a new technology, you get a new thing. And then all of a sudden you're back to square one.†- Russ Ayres, Equifax
“Let’s assume there is an unknown thing that will hit you. Let’s just build the process so that it is ready for an alert that you haven’t recognized.†- Russ Ayres, Equifax
"The two most common alerts we hear about are 'impossible travel,' like when a user is flagged for being in Sri Lanka and the United States within 15 minutes—99% of these are false positives. The other frequent alert is reported phishing emails from employees, which are also mostly false positives.†- Itai Tevet, Intezer
“If you send someone a thousand things to look at, you won't get a thousand times the effort. But if you target the one alert that matters, you get a thousand times more effort out of that person.†- Russ Ayres, Equifax
“An important strategy is tuning out unnecessary alerts, but be careful not to filter out low signals that might mean something. Tune out the noise, but ensure you're not disabling detection tools that alert you to anomalies.†- Itai Tevet, Intezer
Quotes from the chat room
“Awareness does not mean ‘careness.’ The fundamental disconnect is that we have to tune company culture so that all employees internalize ‘doing things safely is just how we do things here at Spark Corp.’†- Dutch Schwartz , vice president of cloud services, SideChannel
“Cyber professionals hate all the mandatory training we are forced to take, but somehow we expect others to love our mandatory awareness training classes.†- Ross Young , CISO-in-residence, Team8
“Don't Notify on every alert.?If an action doesn't exist. No need to wake someone up.†- James S. , sr devops contractor, Beacon Hill
Sr DevSecOps Eng specializing in Kubernetes, Observability and the Cloud.
5 个月The one thing I took away from the after meeting. Can be condensed into this. In order to know when something worth investigating is happening. You first need to have an established baseline of what your system/network/product looks like when there's nothing nefarious happening.
I help businesses, boards and startups understand and address Cybersecurity Risk | CCISO Top 50 Hall of Fame | Top Global CISO | Top 15 Identity Pro | Qualified Technology Expert | LinkedIn Top Information Security Voice
5 个月Shay Sandler