Back to Blog December 11, 2020

Reducing Alert Triage Time in the Security Operations Center (SOC)

The Security Operation Center (SOC) is the centerpiece of the modern security program, centralizing various functions across a medley of skilled people, workflows, and processes — and an integrated array of technologies.  

The apparatus is intended to fulfill numerous functions, including the: 

  • Detection, review, and analysis of security incidents
  • Collection and aggregation of security threat data and synthesis into threat intelligence
  • Monitoring and management of risk and the overall improvement of the security posture

Time is one of the most important elements to all functions of the SOC, as seen in metrics like time to attribution, mean time to detection (MTTD), mean time to response (MTTR), and mean time to containment (MTTC). SOC staffing is typically planned and adjusted to meet the objectives along one or more of these elements. 

Key Inefficiency in the SOC: Alert Triage

On average, enterprises will typically manage a 24 x 7 x 365 SOC, with three different staffed shifts. The average staff size across all three shifts is typically six security analysts. The average security analyst will spend 75 percent of their time (six hours = 360 minutes) each shift triaging the alerts their SIEM has driven to their monitoring screen.  

Security analysts will spend an average of ten minutes for each security incident they review, with half that time (five minutes) spent manually correlating disparate data sources to obtain complete context, asset prioritization and cross analysis.  

This means as much as three hours per day per analyst is spent obtaining access to and gathering key information about the particular asset in question.  

This is simply a poor use of time — and a crucial inefficiency hampering an organization’s ability to effectively manage risk over time. This inefficiency severely impairs MTTR and MTTC metrics.

Explicit Details Needed To Analyze Security Incidents

Depending on the alert arriving, security analysts will need various data points to answer important questions, including:  

  • Is the alert real or a false positive?  
  • Is there a mitigating control in place for the attack type and alert?  
  • Is the device susceptible to the attack?  
  • If the device is susceptible to the attack, how important is the device in question?  
  • What is the priority of the alert, and what is the potential impact to the organization of the attack? 

To answer these questions, security analysts need access to contextual information like: 

  • Operating system version and patch level
  • Network interfaces
  • The presence or absence of security patches
  • Open ports
  • Device admin and last used user
  • Where the device was seen communicating on the network
  • Existing vulnerabilities on the device
  • The presence or absence of security agents, including versions and security policies
  • Installed software including version(s) and vendors

The big problem is this information does not exist in one place. Or two. Or even three, in most companies. The information exists in disparate sources, forcing the analyst to waste valuable time collecting and synthesizing the puzzle pieces before triaging an alert.

Immediate Access To Key IT Asset Details With Axonius

“We struggled to understand all of our assets. This was a way to pull together assets in a real way, without the traditional scanning and labeling. Axonius has helped us to get a handle on everything in the environment and start to label system owners. It shows control gaps quickly and has allowed us to gain much greater visibility into our environments.”

Axonius Customer Review, Gartner Peer Insights

By connecting to over 300 security and management solutions, Axonius collects and correlates information about assets to give customers a complete, contextual, and alway up-to-date asset inventory

This approach enables organizations to get a comprehensive inventory within a day as opposed to the shortcomings and challenges of traditional asset management approaches (agent, scan, NAC, and CMDB). With as few as six data sources connected, Axonius produces a full, deduplicated inventory across the enterprise in just a few hours. 

We’ve heard from customers that the inventory created by Axonius shortens triage time by 50 percent or more. 

From a customer’s review:

“This is a tool you need, but may not fully realize you need. You also may not realize how useful it will be for day-to-day support/analyst/engineer use. Axonius has reduced the time it takes to find asset information from for us what used to sometimes be 30-60 minutes to under 30 seconds -- it's been a huge efficiency win. It also shines light on dark places in the environment where asset repositories may have gotten cluttered and where assets may be missing a bulk of the tooling you'd expect to see.”

By simply entering an IP address, hostname, or device name in Axonius, analysts get instant access to complete and up-to-date device information including vulnerabilities, patches, deployed or missing agents, agent version, security agent policies, local admins and users, network interfaces etc.  

Moreover, Axonius aggregates user information from the data sources and provides the analyst with device-user associations, short cutting several steps for the analyst.

Cost & Time Recovery

By automating the essential data gathering tasks, organizations dramatically increase productivity of their SOC personnel. Axonius allows the security operations team to analyze more alerts in a shorter period of time, thereby increasing visibility, reducing MTTR, ultimately reducing corporate risk (downtime, loss of IP, reputation loss) and costs. 

Estimating the efficiency of SOC processes will vary from one company to the next, but here is a sample calculation for cost and time recovery. Estimate your costs by substituting your own figures.

  • The average loaded cost of an IT security engineer is $175,000. This is known as the Full Time Engineer cost (FTE).
  • 3 shifts x 6 security analysts x 6 hours of analysis time = 108 hours (or 6,480 minutes)/day
  • If the average incident triage takes 10 minutes, then 648 security incidents are handled daily
  • Axonius removes 50 percent of the time spent conducting manual data collection and contextualization (0.50 x 5 minutes = 2.5 minutes shorter triage time) 
  • 2.5 minutes of time savings x 648 security incidents triaged = 1,620 minutes per day
  • 1,620 minutes per day x 365 days = 591,300 minutes per year = 9,855 hours annually
  • 9,855 hours annually ÷ 2080 hours = 4.74 FTEs
  • 4.74 FTEs x $175,000 = $829,500 of cost repurposing
  • 4.74 FTEs ÷ 18 total headcount over 3 shifts = 26% improvement in SOC efficiency

The above example is just one area where an asset inventory can be leveraged to improve efficiency, reducing time and cost of a typical SOC activity. Many other examples exist, including:

  • Reduced time for audit
  • Penetration testing and vulnerability scanning preparation
  • Reduced time to surface machines with the latest known vulnerabilities
  • Reduced time to identify devices with missing and broken security agents
  • Reduced time to identify security agent hygiene and policy discrepancies.  

Learn more about how Axonius can help you make the business case for deploying a next generation asset inventory platform inside the SOC.

Sign up to get first access to the latest cybersecurity asset management resources.