With the rapid growth of digital technologies, modern hybrid enterprise Security Operations Centers (SOCs) face both immense advantages and unprecedented challenges. On one hand, digitalization increases operational efficiency, profitability, and can even help grow market share, opening up new business opportunities. On the other hand, it also creates a significantly larger attack surface and increases security risks, which forms the basis of what we call the “spiral of more”.

This “spiral of more” is a vicious cycle of problems arising from rapid digitalization and the growing complexity of the cyber landscape.

Expanding threat landscape and its consequences

Digitalization adds significant complexity to your IT infrastructure and processes, leading to a substantial expansion of the attack surface and, consequently, making it more difficult to defend. This growth attracts more cyberattacks and generates an excessive amount of signals and “noise,” often hiding real, critical threats within this data stream. Protecting such a dynamic IT environment is significantly more challenging than even a few years ago. A recent survey conducted in 2023 showed that 63% of hybrid enterprise SOC teams reported a “significant” increase in their attack surface in just the last two years. This figure highlights how rapidly the threat landscape is changing and how difficult it is for SOC teams to keep up.

The paradox of growing cybersecurity tools

The expanding attack surface and invisible threats are not the only challenges facing SOCs. The increasing number of cybersecurity tools designed to solve these problems can paradoxically overwhelm analysts. While vendors promise that more tools are the answer to all problems, these tools often operate in isolation, failing to “communicate” with each other. Furthermore, they require constant monitoring and may overlap in functionality, leading to even more signals, alerts, and an overall decrease in visibility. Instead of increasing accuracy and efficiency, adding more tools can lead to:

  • Increased management complexity: Each new tool adds the need for configuration, maintenance, and integration.
  • Analyst frustration: A continuous stream of irrelevant alerts leads to burnout and loss of focus.
  • Decreased effectiveness: Instead of improving protection, thoughtlessly adding tools can create new gaps and “blind spots.”

The rise of “blind spots” and their consequences

Cybersecurity teams spend a significant amount of time trying to catch up with thousands of signals generated by new tools. The average SOC team receives approximately 4500 alerts daily, with a staggering 67% of them remaining unanalyzed. This constant flood of alerts, combined with a lack of context, creates huge “blind spots” – areas of the network or aspects of an attack that go unnoticed. A recent survey showed that 71% of SOC analysts believe their organization has likely already been compromised, but they simply haven’t identified the breach. This is a direct consequence of information overload and the insufficient effectiveness of existing tools.

Burnout and staffing shortages in SOCs

It’s no surprise that SOC teams face high levels of burnout and acute shortages of qualified personnel. According to ISC2 estimates, there is a global shortage of 3.4 million qualified cybersecurity professionals. This burnout is directly related to the stress caused by ineffective alerts, an excessive amount of manual work, and long hours without successful outcomes, leading to a vicious cycle of overwork, stress, and attrition. The statistics are alarming: almost half of cybersecurity professionals are considering “quiet quitting,” and about a third cite stress, burnout, or the impact of work on their mental health as reasons for leaving the industry.

Cognitive dissonance: ignoring the problem

The survey also showed that 97% of SOC analysts worry about missing critical cybersecurity events due to alert overload. Furthermore, nearly 40% reported additional “noise” from cybersecurity tools as a significant problem.

Despite these concerns, most surveyed analysts paradoxically rated their tools as “effective,” although they admitted to having only 75% visibility into their IT environment.

This cognitive dissonance – the inability to reconcile one’s own knowledge with reality – is a serious problem for SOC teams. It can lead to teams failing to take necessary steps to address problems, even when they know of their existence.

There are several reasons why cognitive dissonance can arise:

  • Confirmation bias: People tend to seek information that confirms their existing beliefs and ignore information that contradicts them. This can lead SOC analysts to focus on the positive aspects of their tools and ignore their limitations.
  • Pressure to comply: SOC teams are often under pressure from management to demonstrate that they are effectively protecting the organization. This can lead them to exaggerate the capabilities of their tools to avoid criticism or the need to request additional resources.
  • Lack of knowledge: SOC analysts may simply be unaware of the limitations of their tools. This can be due to insufficient training, lack of time to learn all capabilities, or the fact that tools are constantly updated, making it difficult to keep up with all changes.

What can be done to address cognitive dissonance:

  • Raise awareness: It is important for SOC analysts to be aware of the limitations of their tools. This can be done through training and workshops, seminars with manufacturers, and by providing analysts with access to independent information about tool limitations and real-world case studies.
  • Create a culture of openness: It is important to create a culture where SOC analysts feel comfortable reporting problems with tools, “blind spots,” or inefficiencies. This can be done by encouraging open communication and ensuring analysts are protected from retaliation for reporting problems.
  • Use multiple tools with integration: Instead of relying on a single tool, SOC teams should use multiple tools, but with an emphasis on their integration, to gain a more complete picture of their IT environment. This will help them identify “blind spots” that may exist with any single tool and create a unified incident management center.

By addressing cognitive dissonance, SOC teams can significantly improve their ability to detect and respond to cyber threats, increasing the organization’s overall cyber resilience.

In addition to the above, it is important to note that cognitive dissonance can be a symptom of deeper problems within the organization. For example, if SOC analysts are constantly stressed and overworked, it will be harder for them to objectively evaluate their tools and their work. It is important for SOC leadership to address these underlying issues to create a more supportive environment for making informed cybersecurity decisions. This may include investing in additional resources, improving workstation ergonomics, and providing opportunities for professional development.

Effective strategy: how to break the “spiral of more”

To break the “spiral of more,” you need to get rid of ineffective solutions and choose those that truly work. Even better, invest in solutions that integrate into an overall hybrid strategy and help teams solve modern problems, rather than simply creating more work and “noise.” Excessive use of isolated tools that send different alerts to SOC analysts is unacceptable and creates favorable conditions for hybrid attacks. After all, hybrid attackers operate precisely in such complex environments, as it is easier for them to silently infiltrate, camouflage themselves, and advance within an organization.

To start winning, SOC teams need to think and act with the same speed and scale as hybrid attackers. Instead of viewing individual attack surfaces (endpoints, clouds, networks), they need to perceive them as a single large attack surface managed by one attacking entity.

But without visibility across the entire IT infrastructure, from operational technology (OT) to endpoints and cloud environments, your hybrid enterprise simply won’t be able to detect even the most common signs of an attack, such as:

  • Lateral movement: when an attacker moves between systems within the network.
  • Privilege escalation: when an attacker gains higher access rights.
  • Cloud account compromise: compromising accounts in cloud services.

That’s why Vectra’s Attack Signal Intelligence offers SOC teams worldwide unparalleled signal clarity, threat prioritization, and automated threat response powered by artificial intelligence. Vectra helps you break the “spiral of more” by stopping the most critical threats, focusing on adversary behavior, not endless alerts.

Vectra AI – a valuable asset for cybersecurity in Ukraine via NWU

In the current context of constantly escalating cyber threats and the need to ensure a high level of cyber resilience, Vectra AI solutions are strategically important for Ukrainian organizations. The war in Ukraine has significantly increased the level of cyberattacks, making reliable protection a critical necessity for all sectors of the economy and public administration.

Vectra AI is a powerful solution that can help organizations defend against the most complex attacks, including those leveraging GenAI (generative artificial intelligence). Thanks to its ability to accurately and quickly detect GenAI-driven attacks, as well as provide comprehensive visibility and ease of use, the Vectra AI platform is a valuable addition to any cybersecurity program, providing a new level of protection against the latest threats.

Vectra AI is a leader in detecting and responding to hybrid cloud threats based on security artificial intelligence. Only Vectra optimizes artificial intelligence to detect adversary methods — TTP (Tactics, Techniques, and Procedures), which are the foundation of all attacks — instead of simply alerting about “anomalies” or “other” events. The resulting highly accurate threat signal and clear context allow cybersecurity teams to quickly respond to threats and prevent attacks from escalating into full-blown breaches.

The platform and services of Vectra AI cover public cloud, SaaS applications, identity systems, and network infrastructure, both on-premises and in the cloud. Organizations worldwide rely on the platform and services of Vectra AI to achieve resilience against: ransomware, supply chain compromise, credential theft, and other cyberattacks. This is confirmed by numerous successful case studies in various industries – from finance to healthcare.

Thanks to NWU, the official distributor of Vectra AI in Ukraine, it is now possible for the domestic IT market to buy NDR (Network Detection and Response) from a global leader. NDR is an integral part of the SOC triad alongside SIEM and EDR, providing a full cycle of threat detection and response. This allows Ukrainian enterprises to significantly enhance their level of cybersecurity and more effectively counter modern threats, which is especially relevant in the context of hybrid warfare and constant cyberattacks.

Are you ready to break the “spiral of more” in your SOC and ensure robust protection against the most advanced cyber threats? To buy NDR for SOC or request a demo of the Vectra AI solution in Ukraine, contact NWU today.