Perhaps due to several factors—such as the lack of an integrated defense
system or the lack of staff time— organizations are able to investigate
a little more than half the security alerts they receive in a given
day. As shown in
Figure 52,
56 percent of alerts are investigated, and 44 percent are not
investigated; of those alerts that are investigated, 28 percent are
deemed legitimate alerts. Forty-six percent of legitimate alerts are
then remediated.
To put the problem into more concrete terms, if an organization records 5000 alerts per day, this means:
- 2800 alerts (56 percent) are investigated, while 2200 (44 percent) are not
- Of those investigated, 784 alerts (28 percent) are legitimate, while 2016 (72 percent) are not
- Of the legitimate alerts, 360 (46 percent) are remediated, while 424 (54 percent) are not remediated
The
fact that nearly half of alerts go uninvestigated should raise concern.
What is in the group of alerts that is not being remediated: Are they
low-level threats that might merely spread spam, or could they result in
a ransomware attack or cripple a network? To investigate and understand
a greater slice of the threat landscape, organizations need to rely on
automation as well as properly integrated solutions. Automation can help
stretch precious resources and remove the burden of detection and
investigation from the security team.
The inability to view so
many alerts raises questions about their impact on an organization’s
overall success. What could these uninvestigated threats do to
productivity, customer satisfaction, and confidence in the enterprise?
As respondents told us, even small network outages or security breaches
can have long-term effects on the bottom line. Even when losses were
relatively minor and the affected systems were fairly easy to identify
and isolate, security leaders regard breaches as significant because of
the stress they put on the organization.
