Talent, Technology and Process Can Deliver Relief From Security Alert Overload
Last month marked the 50th anniversary of the Apollo 11 moon landing. Most of us watched at least one special and the TV images at the time were so grainy it’s striking, given our high-resolution screens of today. We’ve gone from tiny monitors where you could see individual pixels, to refresh rates so frequent and pixels so dense that the difference between what’s real and what’s displayed is no longer discernible to the human eye. Having solved the initial challenge, manufacturers are innovating in different ways to deliver value to users, for example through connectivity options, brightness, thinness, and curve.
We’re experiencing a similar phenomenon in security. We now collect security data from hundreds of different types of devices – not just firewalls, but laptops, smartphones, routers, switches, the cloud, web servers, and an ever-expanding array of IoT devices. The volume, velocity, and variety of data in the Security Operations Center has exceeded human capacity for interpretation. While we can’t turn our attention away from gathering data, we must devise new ways to deal with the onslaught of data. Humans simply can’t keep up, and the problem is getting worse. Respondents to the Cisco 2019 CISO Benchmark Study say they are responding to fewer alerts than ever, 50.7% in 2018 vs 55.6% in 2017. They also report that number of legitimate alerts that get remediated has dropped to only 42.8% in 2018 vs 50.5% in 2017.
So, what do we do? There are three ways to tackle the challenge – talent, technology, and process. Let’s look at each.
1. Talent: As a security professional, your first inclination may be to try to hire your way out of the problem, but skilled resources are hard to find and even harder to retain. The industry already faces a cybersecurity talent shortage. Despite an emphasis on programs to fill the talent pipeline, relying on people to make sense of the growing mound of data isn’t a viable strategy. Furthermore, even if you do manage to increase your staff, you are likely to experience turnover due to burnout. This leaves you with two other options to pursue – technology and process.
2. Technology: The Cisco 2019 CISO Benchmark Study also reports that 79% of respondents find it is somewhat or very challenging to orchestrate alerts from multiple vendor products, compared to 74% in 2018. Security teams are gaining efficiency by lowering the number of security vendors. Cybersecurity vendors can help by providing an enterprise security architecture that aligns with and advances your business initiatives and streamlines integration across multiple, individual products and platforms. Integration can also allow you to take advantage of custom automation capabilities so that your multiple best-in-class offerings work in concert to deliver security that is less complex and more effective. For example, something as simple as applying automation to pull data from these different security products and aggregating them into a single, easy to read pane can save a tremendous amount of time and frustration while delivering greater visibility and control. Security analytics, machine learning, and artificial intelligence can also help by automating the initial stages of alert prioritization and management. With consolidation and integration, your overall security posture gets better – it becomes easier for human to interpret vast amounts of data, expenses go down, and you’re fundamentally more secure.
3. Process: Managed detection and response (MDR) services have emerged to ease the burden on security teams of dealing with a growing volume of tickets that managed security service providers (MSSPs) directed their way to investigate. MDR service providers offer an end-to-end service that includes security monitoring, advanced threat detection, and incident readiness and response. These services are delivered by highly skilled teams with access to technology like big data platforms and advanced analytics to quickly separate non-events from serious events, eliminate blind spots, and mitigate risk. Incident response retainer services are changing too, enabling you to become more proactive. When these third-party experts aren’t actively engaged in incident response, they’re helping you and your team sharpen your skills and improve your security posture. They provide a range of services including working with you to develop IR plans, conducting readiness and compromise assessments, engaging in red team/blue team and purple teaming exercises, and leading cyber range workshops. These services focus on improving preparedness, response, and resiliency.
Display technology will continue to evolve and it’s exciting to imagine the viewing experience when humans land on Mars in the future. It’s also exciting to think about how the security industry will continue to innovate. There will always be new devices and systems generating more data and alerts to analyze and understand. Our opportunity is to find new ways to handle the exponential increase in data and resulting alerts. A critical component is the new security industry imperative around customer experience (CX), where the lines between products and services are blurring as the emphasis shifts to total solutions. CX is becoming a key driver for success for security professionals and their organizations and that’s good news, as it’s the blending of all your options – talent, technology and process – that will deliver relief from alert overload.