Since the beginning of the year, we have processed approximately 80,000 alerts in our cybersecurity operations centre (SOC) As many as 60,800 of them were closed by automated systems without any human intervention. The remaining 19,200 unique alerts, which genuinely required human decision-making, could “enjoy” truly focused attention from our analysts. Automation brings a key change to the work of security teams. It does not take work away from people, but removes the routine that would unnecessarily slow them down and professionally exhaust them.
Every October, several of the world’s leading countries observe Cybersecurity Awareness Month. An integral part of it is also drawing attention to fatigue among IT workers, which is caused, among other things, by constant bombardment with tickets, alerts, and requests. Various tools can significantly improve protection and visibility across an environment. The common price for this is that they also generate a massive volume of alerts.
When analysts face a flood of potential attacks, they can very quickly become overwhelmed. Many attacks succeed not because a security tool failed and did not generate an alert, but because an analyst missed it or even unintentionally ignored it. How can this be avoided? These are our tips on how to throw tons of so-called “monkey work” literally out the window and focus on real incidents and threats.
SOAR gives the analyst comprehensive support
Every company has different infrastructure, tools, and processes. One client uses Entra ID, another Intune, another has a specific SIEM solution or its own internal systems. Expecting an L1 analyst to perfectly navigate all consoles and interfaces of every client would be unrealistic.
At Binary Confidence we integrate these technologies into SOAR. It is the foundation of overall efficiency and the central environment that connects the client’s security technologies in one place. The entire system is designed so that the analyst does not have to switch between dozens of systems and can focus on the investigation itself.
For every alert, immediate context is available to help the analyst make decisions efficiently and without delay. This is provided by technologies such as IPAM, LDAP, Lansweeper, the aforementioned Entra ID and Intune, as well as Threat Intelligence platforms. Thanks to this, the analyst can assess the reputation of an IP address or hash at first glance. Information is available about what device or user is involved, whether the device is managed, and what its status is in the client’s infrastructure.
If you do not know what is happening in your client’s network, it is a recipe for frequent panic. In our SOAR, the analyst has access to operational notes about the client environment. These include information about planned changes, maintenance windows, known exceptions, specific detections, or, for example, planned penetration tests. Thanks to this, the analyst can quickly distinguish whether it is expected activity or a potential security incident.
SOAR offers clear one-click access to important Kibana dashboards, the SIEM, the knowledge base with the client card, or specific events. Our analyst does not have to search for anything manually or log into multiple systems. We consider this an important factor that significantly shortens investigation time.
Automated triage fundamentally reduces alert fatigue
In practice, it is completely common for the same detection with identical parameters to be generated repeatedly. If you do not have procedures in place for this, there is nothing left but to close the detection manually every time. If this repeats dozens or hundreds of times, the burden on the analyst is enormous and their work becomes inefficient.
Our automated alert triage system, using SOAR playbooks, evaluates known scenarios, including alert deduplication. Alerts that provide no additional context about an attack are automatically closed as duplicates of an already existing incident. The result is significantly lower alert fatigue and more space to deal with real threats.
SOAR is also an invaluable assistant during the incident response itself. Thanks to integrations with clients’ security technologies, we can perform a whole range of steps directly from a single environment.
The analyst can directly in SOAR “disable” a user in Entra ID, revoke sessions across all active logins, block a specific IP address, or perform an action in the client’s EDR solution. At the same time, they do not have to log into multiple consoles and systems. This makes incident response faster and more efficient.
Continuous process measurement improves average detection and response times
Without measurement and comparison, every process is doomed to gradually lose efficiency. We place a truly strong emphasis on the auditability of the entire incident lifecycle. Every alert goes through clearly defined phases, from its creation on the endpoint, through the “ingestion” of its data into the SIEM, the creation of an incident in SOAR, assignment to an analyst, all the way to its closure.
We measure every phase using several important metrics:
Time to Own – how long it takes for an analyst to assign the alert to themselves
Time to Work – the time until the start of the investigation
Time to Investigate – the actual duration of the investigation
Every alert also has a so-called “close note” and “close reason” assigned to it, where you can see what happened to it and why it was closed. We also audit escalations towards the client, where SOAR automatically fills in templates and relevant incident data, as well as internal escalations to L2, including complete communication.
This data helps us identify room for improvement. The result is faster investigation and a significant reduction in average detection time (Mean Time To Detect) and response time (Mean Time To Respond). We achieve a regular reduction in “false alerts” through continuous optimisation of detection rules. If close notes are precisely defined, you can easily identify recurring patterns and eliminate them in detection rules.
Communication with the client and with analysts is the foundation of quality
The combination of optimisation and automation has a direct impact on the fact that, in our SOC, we can afford to keep significantly more detection rules enabled than would be possible to handle manually. The entire SOC is therefore more scalable, while at the same time maintaining high quality without creating disproportionate work pressure on analysts.
One of the key factors is well-tuned technology. Even the best solution, however, cannot reach its full potential without communication and intensive cooperation with the client. Together, we continuously create exceptions and fine-tune rule logic so that it reflects the client’s real environment as accurately as possible and ultimately delivers better and more efficient security.
At the end, but in reality at the beginning, are the analysts themselves. Without their input, we could not move forward, and most high-quality innovations come directly from them. After all, they are the ones who best know and see what works and what can be done more efficiently.
The project, funded under grant agreement number 101145856, is supported by the European Cybersecurity Competence Centre.
