Automating false positives in your SOC

Alerts are undoubtedly critical in delivery of an effective Cybersecurity operation, but sheer volume of alerts can be crippling to a SOC. In this blog we’ll talk about the steps you can take to reduce the false positive alerts, freeing up your analysts to provide more pro-active defence and less ‘alert bashing’. We talk openly about the challenges we’ve faced in this area and how we’ve seen drastic improvement through a process designed to save analyst time without increasing security risk.

The challenge

When we talk to customers, one of the most common challenges is analyst retention and recruitment. And one of the biggest reasons for analysts leaving organisations is the nature of the work, often they’ll want to be getting involved in interesting investigations, but can end up simply responding to alerts, with a staggering percentage being false positives that still need reviewing and closing.

We firmly believe that analysts should be elevated above simple ‘alert bashing’ and whilst this will still be an element of the job, it should be a minor element, with more time given to more valuable tasks to the defence of a network. Tasks such as vulnerability analysis, playbook crafting, pro-active threat hunting, incident response planning, customer engagement and more.

How we automated 80% of alerts

As a business that focuses on delivering a SOC-as-a-Service, we face the same problems that many non-security specialist organisations face. From a peak in March 2020 we built out a plan to seriously cut back on human-processed alerts and by August 2020 we had halved this number, whilst taking on new customers and since then, for some customers we’ve seen as many as 80% of alerts being automated.

We knew that automating alerts could be risky, given that there’s the chance to miss a genuine threat if it’s too close to an automation rule and that’s why we didn’t set out to fix anything overnight.

Continuous improvement

We started with a new swarm team assessing the noisiest alerts, reviewing them daily, weekly and monthly to understand what could be automated and triple-checking in each instance to be sure we weren’t missing a potential threat. In fact, at the start of this process, it took us longer to automate and then review the alerts we had than if an analyst had just looked at them, but we knew the end goal would be critical to our service improvements.

We deeply evaluated each type of alert, working through the playbook steps an analyst would take and pinpointing what step or piece of information would allow that alert to be safely closed.

We’re not going to sit here and pretend we’ve got it absolutely perfect, but each day, week and month we improve both our service and our automation capability.

Fix it yourself or pass the challenge onto another company?

Depending on your set up and capability, it may be better to engage in a trusted partner to take the alerts from your team, automating and manually analysing them (using co-authored playbooks, suited to your organisation and risk appetite) and then passing over real tickets and incidents for your security team to look at. Not only will this reduce the time your teams spend on the mundane, but it can also enrich their jobs significantly, giving them time for professional development and only getting involved in the more interesting investigations.

If you’d like to find out more about how we continue to improve our automation capability, or are interested in how we work with organisations across all sectors to reduce the mundane and improve their security then email us on info@e2e-assure.com or visiting e2e-assure.com/contact.