Academy Central
----
Weather

Security Operations teams face several critical challenges, including alert fatigue, situational blindness, and cognitive bias.

概述(繁體中文)

安全營運團隊面臨數項關鍵挑戰,包括警報疲勞、情境盲目及認知偏誤。


Alert Fatigue

Alert fatigue is the most significant challenge affecting security operations. According to Palo Alto Networks' 2018 SOAR Report, teams receive an average of 10,000–12,000 alerts per week. This volume causes alerts to be ignored, wastes time on false leads, and causes actual threats to be missed.

Causes of High Alert Volume

  • Too Many Security Products — The average SOC uses over 15 security products. Managing alerts from each product involves duplication and manual parsing.
  • Varying Product Sensitivity Settings — Low sensitivity risks missing dangerous alerts; high sensitivity generates excessive false positives, reducing work satisfaction.
  • Evolution of the Modern Organization — Business expansion across product lines and geographies exposes organizations to new attack vectors such as POS compromise, credit card fraud, data theft, and DDoS attacks.
  • Not Enough People — Security professionals are difficult to hire, train, and retain due to demanding roles, technical prerequisites, and constant on-the-job learning requirements.

警報疲勞(繁體中文)

警報疲勞是安全營運中最嚴峻的挑戰。根據 Palo Alto Networks 2018 年 SOAR 報告,團隊每週平均收到 10,000 至 12,000 筆警報。如此龐大的數量導致警報被忽略、分析師浪費時間追查錯誤線索,而真正的威脅反而被遺漏。

警報量過高的原因

  • 安全產品過多 — 平均每個 SOC 使用超過 15 種安全產品。管理各產品產生的警報涉及大量重複作業與人工解析。
  • 產品靈敏度設定不一 — 靈敏度過低可能遺漏危險警報;靈敏度過高則產生大量誤報,降低工作滿意度。
  • 現代組織的演變 — 業務擴展至不同產品線與地區,使組織暴露於 POS 入侵、信用卡詐騙、資料竊取及 DDoS 攻擊等新興威脅。
  • 人手不足 — 安全專業人員的招聘、培訓與留任極為困難,因其工作負荷大、技術門檻高,且須持續在職學習。

Situational Blindness

Team members spend excessive time on manual actions and product tuning, causing them to miss important alerts.

Tools Do Not Talk to Each Other

Disconnected security products force analysts to manually correlate data across platforms, wasting time and increasing the chance of missed threats.

Security Analysts Do Not Talk to Each Other

Analysts are too busy handling the alert volume to collaborate and learn from one another, preventing them from leveraging each other's strengths.

Some Important Alerts Are Missed

Because tools and analysts are siloed, critical alerts that could have been caught go unnoticed.

情境盲目(繁體中文)

團隊成員花費過多時間處理手動作業與產品調校,導致遺漏重要警報。

工具之間無法互通

各自獨立的安全產品迫使分析師跨平台手動關聯資料,既浪費時間又增加遺漏威脅的風險。

分析師之間缺乏溝通

分析師忙於處理大量警報,無暇協作與相互學習,無法發揮彼此專長。

重要警報被遺漏

由於工具與分析師各自為政,本可被攔截的重要警報因而遭到忽略。


Cognitive Bias

Security analysts may develop cognitive bias during threat investigation. Analysts with long tenure in a SOC may make assumptions about incidents without proper investigation simply because a similar incident was seen recently and deemed less important.

This can be mitigated through training, strengthening awareness of biases, and implementing quality control measures such as peer review for remediation.


認知偏誤(繁體中文)

安全分析師在威脅調查與識別過程中可能產生認知偏誤。長期任職於 SOC 的分析師可能因近期見過類似事件而輕視其重要性,未經充分調查即做出假設。

此問題可透過教育訓練、強化對偏誤的認知,以及實施同儕審查等品質管控措施來預防。