Jeremy Fuchs at Avanan just blogged about a new report they released. It revealed some surprising results about the time SOC teams have to spend investigating suspicious emails reported by employees.
Avanan shared their research with SC Mag who said: "Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms.
According to the study, email threats take two to three hours of a SOC team’s time per day, or 22.9% of a SOC team’s daily routine. The data is based upon the responses of more than 500 IT managers and leaders surveyed by Avanan. Of the time spent managing emails threats, nearly half – 46.9% – was allocated toward investigation, while response and prevention each took 26.6 percent of a SOC team’s time.
“In our conversations with [Security Orchestration Automation & Response] vendors… they said to us that 90% of the events they deal with are actually phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC workers condensing 90% of their work into 23% of their time sounds like good efficiency.
But even if that’s the case, the report warns that managing email threats “is time-consuming and costly for enterprises of all sizes. Between preventing malicious email from causing damage to reviewing end-user suspicious email reports and false positive reports, SOC employees are overwhelmed and overworked by the sheer state of email, both good and bad. “
SOC fatigue resulting from these reports and requests can result in “real phishing attacks being released back to employees” inadvertently, said Friedrich. “The other problem we see is that too often the SOC professional will not handle the threat; they will [only] handle the email. So they will not look for the phishing campaign. They would not look for similar emails [or ask] ‘Did I get anything else from that sender? Should I create a blocklist?’”
Spending too much time to go through reported emails?
The research covered organizations that --have-- a SOC. How about those tons of IT Pros that have this as one of their many InfoSec tasks? We recommend to take a look at PhishER. It ingests the emails, PhishML gives you a fast score, and It’s a huge time saver to then remove them with PhishRIP.
Sign up for your live one-on-one demo and see for yourself how much time you can save.
