SOC teams spend nearly a quarter of their day handling suspicious emails

Jeremy Fuchs at Avanan just blogged about a new report they released. It revealed some surprising results about the time SOC teams have to spend investigating suspicious emails reported by employees.

Avanan shared their research with SC Mag who said: "Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms.

According to the study, email threats take two to three hours of a SOC team’s time per day, or 22.9% of a SOC team’s daily routine. The data is based upon the responses of more than 500 IT managers and leaders surveyed by Avanan. Of the time spent managing emails threats, nearly half – 46.9% – was allocated toward investigation, while response and prevention each took 26.6 percent of a SOC team’s time.

“In our conversations with [Security Orchestration Automation & Response] vendors… they said to us that 90% of the events they deal with are actually phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC workers condensing 90% of their work into 23% of their time sounds like good efficiency.

But even if that’s the case, the report warns that managing email threats “is time-consuming and costly for enterprises of all sizes. Between preventing malicious email from causing damage to reviewing end-user suspicious email reports and false positive reports, SOC employees are overwhelmed and overworked by the sheer state of email, both good and bad. “

SOC fatigue resulting from these reports and requests can result in “real phishing attacks being released back to employees” inadvertently, said Friedrich. “The other problem we see is that too often the SOC professional will not handle the threat; they will [only] handle the email. So they will not look for the phishing campaign. They would not look for similar emails [or ask] ‘Did I get anything else from that sender? Should I create a blocklist?’”

Spending too much time to go through reported emails?

The research covered organizations that --have-- a SOC. How about those tons of IT Pros that have this as one of their many InfoSec tasks? We recommend to take a look at PhishER. It ingests the emails, PhishML gives you a fast score, and It’s a huge time saver to then remove them with PhishRIP.

Sign up for your live one-on-one demo and see for yourself how much time you can save.

Live Demo: Identify and Respond to Email Threats Faster with PhishER

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you not only handle the phishing attacks and threats—and just as importantly—effectively manage the other 90% of user-reported messages accurately and efficiently? PhishER.

To learn how, get a product demonstration of the new PhishER Security Orchestration, Automation and Response (SOAR) platform. In this live one-on-one demo we will show you how easy it is to identify and respond to email threats faster:

Automate prioritization of email messages by rules you set that categorize messages as Clean, Spam, or Threat

Augment your analysis and prioritization of messages with PhishML, a PhishER machine-learning module

Search, find, and remove email threats with PhishRIP, PhishER’s new email quarantine feature for Microsoft 365 and G Suite

NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.

Easily integrate with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!