Application security, Network Security

SOC teams spend nearly a quarter of their day handling suspicious emails

Inside New York City’s Cyber Command. A new feature from malware scanning site VirusTotal is designed to help Security Operations triage security alerts for false positives.  (Credit: New York University)

Security professionals know that responding to relentless, incoming streams of suspicious emails can be a labor-intensive task, but a new study shared exclusively with SC Media in advance indicates just how time-consuming it actually is.

Researchers at email security firm Avanan claim to have authored the “first comprehensive research study" that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms.

According to the study, email threats take two to three hours of a SOC team’s time per day, or 22.9% of a SOC team’s daily routine. The data is based upon the responses of more than 500 IT managers and leaders surveyed by Avanan. Of the time spent managing emails threats, nearly half – 46.9% – was allocated toward investigation, while response and prevention each took 26.6 percent of a SOC team’s time.

Investigations take double the amount time for a number of reasons. For one, said Friedrich, they often require “a bit of manual work in order to do the investigation” because SOC analysts often don’t have all the information and analysis they need in a single view or screen to decide in one quick step if an email is malicious or not. Also, “sometimes it takes more than one person” to review an email to determine its validity. Procedures may call for two or three people to render a verdict, and the original email recipient may be brought into the investigation and asked if they were expecting an email from the purported sender. 

According to the survey, the preventative tasks most commonly performed by SOC teams are updating allow and block lists (79.6% of respondents), updating ATP policies (64.9%) implementing new mail-flow rules (56%), updating sensitivity and confidence settings (44.3%)  and updating signature files (28.9%). Collectively, these and other tasks result in an average of 5.59 hours spent per week on prevention.

As for whether email threats should take up less of a SOC team’s day – that may be in the eye of the beholder.

“In our conversations with [Security Orchestration Automation & Response] vendors… they said to us that 90% of the events they deal with are actually phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC workers condensing 90% of their work into 23% of their time sounds like good efficiency.

But even if that’s the case, the report warns that managing email threats “is time-consuming and costly for enterprises of all sizes. Between preventing malicious email from causing damage to reviewing end-user suspicious email reports and false positive reports, SOC employees are overwhelmed and overworked by the sheer state of email, both good and bad. “

Friedrich warned that the nonstop influx of suspicious emails makes SOC employees prone to alert fatigue. Indeed, according to the report, SOCs on average receive 68.7 end-user reports per week and 3,574 in a year, spending about 7.7 minutes on each one. Of those, 33.8% are found to be malicious, and SOC employees will spend a little over 49 days responding to them in a given year.

False positives also pose a problem. Avanan says that SOCs on average receive 16 release-from-quarantine requests per week, with 30.73% labelled as false positives. SOC teams spend nearly 58 days per year handling an average of 6,862 such requests.

SOC fatigue resulting from these reports and requests can result in “real phishing attacks being released back to employees” inadvertently, said Friedrich. “The other problem we see is that too often the SOC professional will not handle the threat; they will [only] handle the email. So they will not look for the phishing campaign. They would not look for similar emails [or ask] ‘Did I get anything else from that sender? Should I create a blocklist?’”

“I need to do more than just block one email,” Friedrich said. But of course, taking additional steps only adds more time to the equation.

And compounding the issue is the expanding use and abuse of workplace communication and collaboration platforms such as Slack and Teams, which the potential to eat into SOC analysts’ time even further. Indeed, 76.1% of respondents agree or strongly agreed that Slack and Teams vulnerabilities would necessitate the implementation of further security measures within the next eight months.

To help reduce the numbers of malicious emails that drop into SOC teams’ laps, Friedrich suggested that companies using cloud-based email services consider moving their email security to the cloud as well, because traditional solutions built for on-premises email are “missing too much stuff.”

“The evolution of moving your email to the cloud is now being followed with the second revolution of moving your security to a cloud-first approach that uses API and cloud connectivity,” Friedrich continued. “You'll get time back for your SOC.”

Additional cybersecurity experts also offered their own recommendations.

"If a SOC is engaged in actual attacks that start by targeting their email system, then they need to think about better managing that attack surface as a point of infection," said Chris Morales, head of security analytics at Vectra. "If a SOC is spending too much time investigating alerts from detection and response that are just noise, then they might want to consider a less noisy system."

Also, "More companies are spending additional dollars on third-party services that are specifically looking at email defense," noted Joseph Neumann, director of offensive security at Coalfire. "Automation and cloud sourcing defense to organizations that specialize in this specific attack vector are the best value add. Those organizations will be the first to develop and mature automation, machine learning or possibly AI in the future."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

You can skip this ad in 5 seconds