Late last year, a study by the US National Institute of Standards and Technology (NIST) took an in-depth look at a phenomenon called “security fatigue.” Researchers found that a majority of individuals they interviewed (20 to 60 year olds in a variety of jobs and in rural, urban and suburban environments) experience a weariness or reluctance to deal with computer security. Being bombarded every day by an increasing number of warnings and bad news about the latest attack isn’t bolstering their resolve to deal with the bad guys. In fact, they’re feeling a sense of resignation and loss of control. That isn’t to say we should stop the awareness and education, but we need to devise better and easier ways to empower individuals to protect themselves.
We’re seeing security fatigue on the corporate side as well, but with a twist. Organizations are growing weary of the same old stream of promises they’ve heard from security vendors for years. “We’ll help you consolidate dozens of security vendors for more effective and simpler protection.” Or, “We’ll provide a single pane of glass and all your security visibility and management headaches will go away.” But all this talk is just that – talk.
As I’ve discussed before, in the face of rising complexity and scarce resources, organizations are looking to improve their security posture while making the best use of existing security teams and technology. How do more one-off APIs or another management interface that your security staff need to master and deploy help you reach your goals as a security organization? The answer is: they don’t. Organizations need an approach they can act on now.
Most security professionals are having trouble strengthening their defenses in the face of a rapidly evolving threat landscape and feel they are being left behind. This may cause you to think more threat intelligence will help. But organizations typically have more threat intelligence than they know what to do with. They have multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each point product within their layers of defense has its own intelligence.
More threat data isn’t necessarily the solution – in fact, it will likely add to the data overload. What you need is a single source of truth. I’m not talking about “the great and powerful Oz” from The Wizard of Oz (who we know was a sham), but the ability to curate the intelligence you do have – both external and internal – so that it’s contextualized, relevant and prioritized and available to all from a central repository. Then you have a fighting chance against the bad guys.
To harness the power embedded in disparate sources of threat data requires aggregating it and translating it into a uniform format for analysis and action. You then need to augment and enrich it with additional internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context to understand what is relevant and high-priority to your organization. You now have a single source of truth using your existing threat data.
You also need to empower your existing security team to apply that curated threat intelligence for better decisions and action. That’s where collaboration and automation come in. The repository can become a hub for storing threat intelligence. As security teams add comments into the repository and regularly update the data in the repository it becomes embedded in the processes for collaboration and decision making. Integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – will allow the various teams to use the tools and interfaces they already know and trust to act on that intelligence.
With cyber attacks increasing in volume, velocity and sophistication, and security vendors making the same promises year in and year out, it can be hard to avoid security fatigue. A single pane of glass isn’t the cure. The place to start is with the single source of truth for all your threat intelligence so that you can act swiftly and decisively to better protect against the most relevant threats you face. And, truth be told, isn’t that the cure for what’s ultimately ailing your organization?