Most CISOs and CSOs are worried that a growing volume of alerts is causing burnout among their teams, according to new research from IDG. You can learn about additional challenges to security operations teams by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.
In terms of SIEM-related challenges, 42 percent of respondents cited alert fatigue, second only to capacity issues (45 percent). Perhaps more worrisome is the fallout from dealing with voluminous alerts, including longer response times, more requests for additional staffing, and missed threats.
“There are admittedly a lot of dead ends that are being chased,” said the senior principal architect from a financial services firm. “You don’t want to ignore things by clicking them off and I’ve seen that people do that.”
Yet, there’s also evidence that companies with cloud-based SIEM solutions like Azure Sentinel, a cloud-native SIEM that leverages artificial intelligence (AI) and threat intelligence based on decades of Microsoft security experience, are less likely to feel these pains than their on-premises counterparts.
The effects of alert fatigue on IT staff
In fact, the CISO of an electronics company cited improved alert management as among the primary motivations for shifting to cloud-based SIEM.
“Common drivers were lack of internal knowledge, overall data volumes, and the need to have correlated, aggregated alerts that boil up to what are the most important things we should be looking at,” he said. “Simply said, we needed a single pane of glass.”
Higher levels of intelligence
Aggregation and correlation with a cloud SIEM solution allow organizations to become more proactive with their security strategies.
“We gained a lot [in terms of] the event aggregation, consolidation, and risk rating of events,” said the CISO, adding that threat correlation enabled a whole new level of SOC intelligence so they could get ahead of triage work.
Another way of putting it: “Aggregated intelligence,” according to the head of architecture, security, and privacy for a digital services provider. He suggests companies can only gain deep analysis of threats and vulnerabilities with the cloud.
“You need the cloud version because the vast amount of data that is required is only available, stored, and processed in the cloud,” he said. “If it’s onsite, you can hit the most targeted use cases, but you cannot have that aggregated intelligence that will help you prevent really big, incremental strategic attacks.”
Furthermore, SIEM solutions born in the cloud take advantage of native integrations to speed these correlations. In addition, they often use automation and AI and machine learning technology to power real-time threat detection, protection, and response—reducing alert fatigue and freeing up security teams for more strategic work.
“Babysitting an on-prem SIEM and addressing the myriad of alerts that it generates is a very tactical issue,” said Bob Bragdon, Senior Vice President and Publisher, CSO.
“One of the challenges that security organizations face is getting actionable intelligence out of all their security investments,” Bragdon said. “With a move to a cloud-based SIEM, enterprises can redirect resources that were invested to support an on-prem SIEM to other more strategic or higher-priority tasks.”
Learn about other areas where on-premises and cloud-based SIEM like Azure Sentinel measure up by reading the IDG report SIEM Shift: How the Cloud is Transforming Security Operations.
For more information about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
