SOCs spend nearly a quarter of their time on email security
Email security continues to be a significant challenge for the Security Operation Centers (SOCs); research from Avanan, a cloud email security vendor, on the state of email security shows. An excessive amount of time and effort is spent by SOC teams in detecting incidents and directing countermeasures.
This study is important as it is one of the first hard looks at how much time is spent on these issues. Before this survey, the State of Email Security, this aspect was not fully explored. Data was only available through work by research and advisory company Gartner that found how each phishing event can take two hours and 45 minutes to remediate.
Email threats, whether data is compromised or leaked, can affect a business in many ways, depending on its nature, scope and severity. Malware distributed through email attachments as well as phishing attempts can lead to data breaches and severely impact brand strength and reputation. Protecting the medium through which messages are exchanged requires continuous monitoring and rapid response.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Security operation centers
The major functionalities of SOC services include monitoring, detection and event analysis. This undertaking can confirm if a security incident is taking place on key IT systems in an organization. The SOC is responsible for locating the actual malicious activity to ensure it is correctly identified, analyzed, addressed, investigated and reported. An SOC report can give companies great insight into their security by assessing the controls in place and the effectiveness of its policies and procedures.
Having an internal or external SOC available and operational at all times with a team that can include cybersecurity analysts, security engineers and managers — as well as incident responders, threat hunters and compliance auditors — tasked with detecting, analyzing, preventing and responding to incidents is a great resource.
But how much time do they spend in mitigating email threats? Showered with alerts and suspicious log entries, SOC analysts use security solutions like Security Information and Event Management (SIEM) to help them focus on the events that are most likely more dangerous and allow them to aggregate data from a multitude of sources to better address them. However, not all tasks can be automated and SOC professionals are still left with many manual tasks to analyze data and input from tools, respond to users’ concerns and investigate findings.
The quantification of email threats and the burden placed on SOC teams
To quantify the scope of email threats and how companies deal with them, researchers at Avanan, in December 2020, released a detailed survey on the state of email security. They asked 500 IT managers and leaders about the time it takes to deal with malicious emails, such as phishing attempts, and the duties their effort involves from three perspectives: prevention, response and investigation.
- Prevention: this refers to all that relates to the configuration and management of emails to prevent attacks. For example, the revising of allow/block lists, screening of mails through rules and updating advanced threat protection (ATP) anti-phishing policies.
- Response: this refers to tasks related to responding to an attack that has already happened, including phishing emails delivered to the mailbox of an end-user or malicious content downloaded through clicking on an embedded link.
- Investigation: this refers to all activities related to finding out whether an attack was perpetrated if any systems or data were compromised and which should be locked out to protect the entire infrastructure.
According to Avanan, the average SOC spends about 22.9% of its total activity time in managing email threats as follows:
- SOC teams spend 46.9% of that time on investigation
- SOC teams spend 26.6% of that time on response
- SOC teams spend 26.5% of that time on prevention
The survey shows how the SOC team works 5.59 hours on prevention tasks; they receive an average of 68.7 end-user reports per week and take approximately 7.7 minutes to inspect each suspicious email to find that 33.8% are malicious and require flagging and quarantining before they impact the networks. An average of 16 requests per week deal with release from quarantine; 30.73% are false positives which turn out not to be real security incidents but still cost the SOC 2.1 minutes per email which amounts to 1,592 minutes, or 26.53 hours, per week and 1,380 hours a year.
SOC activity for email threats
So, what do SOC professionals have to do to address email threats?
Prevention
The following prevention tools were found as the most used by survey respondents and take an average of 5.59 hours/week:
- Allow/block lists: 79.6%
- ATP policies: 64.9%
- Implement new email flow rules: 56%
- Update sensitivity and confidence: 44.3%
- Update signature files: 28.9%
Response
SOC teams receive an average of 3,574 end-user reports in a year, with 1,207 recognized as phishing emails and costing 1,183 hours of work to review and determine appropriate action including:
- Identify and lock down compromised account(s): 15.6% of the time
- Discover which link was clicked: 15.3%
- Review the event log: 15.1%
- Identify compromised data: 14.2%
- Remove the malicious email from all other users’ inboxes: 14%
- Release info on the breach to stakeholders: 12.9%
- Remediate infected workstations: 12.9%
Investigation
Investigating each email is also a time-consuming task, and SOC analysts were found to use up to 652 hours, or over 27 full days per year, using severable available tools to perform the following tasks:
- Analyze messages and headers: 23.4% of the time
- Investigate links: 23%
- Analyze attachments: 21.1%
- Investigate senders: 17.3%
- Identify other recipients: 15.2%
More findings
Another interesting part of the survey gives a glimpse of how companies are set up. Researchers found that 78% of surveyed companies used Microsoft 365 email servers with 88.44% using cloud-based ones. In 43.09% of cases, the solution of choice to protect the email servers was Microsoft ATP with 23.09% using a secure email gateway and 17.4% API-based email security.
A whopping 76.1% of the surveyed professionals identified collaboration tools like Slack and Microsoft Teams as a concrete security risk that needs to be the focus of attention to boost prevention. The main concerns were leakage of sensitive data (72.6% of respondents), phishing links (60.7%) or malicious files (53.3%) in messages.
Phishing simulations & training
Confronting email security
It is no surprise that SOC professionals feel overwhelmed by dealing with preventing, responding and investigating malicious emails that make it through the automated security layers and occupy 2-3 hours of their time per day. This is an important function of their job but by no means the only one.
Despite the increasing focus of all organizations and companies of any size on email security best practices, SOC members can still spend about 1,183 hours per year reviewing end-user phishing reports, and 1,380 hours to review requests of quarantine release. Much of the team’s time is spent preventing, responding and investigating malicious or suspicious activities, like phishing. It’s no wonder “60% of SOC employees have considered leaving their jobs or changing careers altogether because of burnout,” the Avanan’s survey shows.
The solution to the increasing amount of time spent reviewing threats is not only the implementation of more sensitive email security solutions like data loss prevention (DLP) technologies but also more focused awareness campaigns and training programs that keep email security at the forefront of the organizations’ efforts. User awareness is key to the prevention of threats and breaches and is particularly effective in all those instances where the target of the malicious activity are users themselves.
Sources:
- The State of Email Security Survey Results, Avanan
- Can Phishing Training Replace Email Security?, Avanan
- What is a Security Operations Center (SOC)?, Digital Guardian
- Why Slack and Microsoft Teams Are Not as Secure as You Think, Avanan
- Email Security Can Be Time Consuming. We Quantified The Exact Amount, Avanan
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- SOCs spend nearly a quarter of their time on email security
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness