As cyber attacks continue to expand in number and severity, many organizations find that they are unable to deal with the threat effectively. To attempt to quell and contain these threats, the modern security operations center (SOC) has become a complicated patchwork of disparate tools, each one designed to target the problem from its own angle. As each additional tool does its job, it creates information that resides in its own silo, leading to an endless stream of alerts to be processed. As these alerts pour in, they flood analysts with excess data, leaving them unable to discern the real threat from the noise, leading to an inability to effectively respond.

Our researchers at Siemplify wanted to understand how many alerts, if any at all, were duplicate alerts stemming from the myriad of tools used and how much time and other resources were being wasted processing these alerts in the typical SOC. Using statistics collected from more than 9,500 alerts (cases) for the period of three months from the SIEM system at a typical Siemplify client, our research team analyzed the data. The discovery is startling.

As we sifted through the data, we found that over a third of alerts were duplicates, the same exact ones that had already been “processed” and dealt with earlier. It is clear that these duplicate alerts are likely one of the major contributing factors in flooding the SOC and creating a backlog impeding analysts’ ability to perform their job effectively.

Addressing this duplication and lack of visibility is mission critical as SOC teams seek to mature and improve the SOC effectiveness.

Definition of “Exact Duplicate” Alerts

Two alerts are considered exact duplicates if they have the same source and destination, if the same product issued the alert and if the name of the alert is the same. These important yardsticks allowed us to conduct our research within tightly controlled parameters.

Read the full article on Security Magazine to learn more about the research and its findings.