Do you have a handle on how your SOC is handling phishing? More specifically, do you know how they are responding to end-user requests to restore messages and reporting messages as phishing?
This video, from a SOC Cyber Security analyst, gives you a little sneak peek into just how hard this role can be:
It's a job that's quite hectic--which is why it's no surprise that it leads to a lot of stress and burnout.
Here's an example from AT&T of what an investigation might entail:
- Initial review based on first warning
- Looking at Indicators of Compromise
- Expanding investigation into events
- Building a response, starting with an investigation to confirm if this is real
- Interacting with customer
There's a lot going on, and that's for a simple phishing attack. The more complex, the harder it gets.
Add to that the fact that only 10% of end-user reporting phishing emails are in fact phishing. It would be great to ignore the 90%, but that would be irresponsible. SOC analysts don't know which 10% are actually phishing. So they have to go through all of them. And that takes up valuable time.
Consider this story. In one of our customers that had us replace their email response API tool, an end-user received a phishing email from “IT”, and like most, got a new email notification to his phone. Although the email was quarantined, the notification was not (and cannot). Aside from the bad user experience, that end-user reached out to IT support and asked to send it again because he couldn’t find it. IT responded they did not send anything, assumed it was phishing and asked the end-user if he clicked the link. This was 24 hours after the email was delivered— the end-user could not remember what he did, and the IT, as good security professionals should, reset his password just in case. It’s a story of everyone doing their job and acting responsibly. Well, everyone but the email security solution that should have blocked it before the inbox and save everyone’s time.
If the SOC is overwhelmed, the best first step you can take is ensure your email security is on point.
Avanan recently released a survey that found that managing the email threat takes up 22.9% of the SOC's time. That comes out to about 2-3 hours a day, chasing bad emails. In some environments, that number is even higher. Of the time they spend managing the email threat, 47% of that time is spent investigating suspected phishing emails reported by end-users and 27% responding to actual phishing emails.
Consider this story of a 10,000-user company. Prior to Avanan, this company had 2,500 phishing emails a month making their way to the end user. End-users were reporting phishing 16,000 times a month. And only 15% were actually phishing.
After implementing Avanan, only 5 emails were delivered to end users a month. End-user reports went down from 16,000 to 3,000.
That has dramatically freed up the SOC and made their lives and work better.
There are three things that help the SOC out: advanced protection, improved response capabilities, and better training.
Advanced security is there to stop the malicious emails from hitting your end-users. In the case of Avanan’s customers, they see a 99.2% reduction in attacks reaching their end users overnight. Because there is no silver bullet, you must arm the IT, SOC and Help Desks with the resources necessary to help respond to the threats quickly and efficiently. And finally, end-user training is there to help ensure end-users know how to spot and report a malicious email.