Is Security Team Inefficiency Killing The Ability To Find Network Intruders?
With dwell time still averaging about five months, it’s clear that today’s approach to detecting a network intruder or a malicious insider simply is not working. Even with the best preventative security, attackers will find a way to compromise a user. There are far too many ways for a dedicated attacker to find a gap in defenses and break into a network.
The challenge is how to find the attacker early in the process before theft or damage can occur. While very few enterprises have the ability to find an active attacker, many do receive signs of their presence. One problem is the ongoing issue of accuracy and efficiency. Security practitioners are bombarded with large volumes of security alerts, forcing them to review or triage only a small fraction of them. One industry report claims that this number is as low as 4%. If a security professional can only review 4% of all alerts, what are the odds they will find signs of real attacker activity? What are they missing in the other 96% that go untouched?
The efficiency problem is a staggering issue that has become an accepted part of security infrastructure and practice. It keeps the odds squarely against a security team and leaves plenty of margin for attackers to hide.
How many alerts do your security systems generate per day? Chances are you probably have never added them up. It’s worth it to pause for a moment and consider the total number of security alerts besieging your organization. Try the new SOC OPEX calculator we just introduced as a free tool for industry professionals to set your own benchmark.
The other issue that goes hand in hand with efficiency and volume is accuracy. Accuracy can be regarded as the value of each alert in terms of disposition by a security operator. In other words, what did the operator do with an alert? Ideally, the alert points to attack activity or, perhaps, risky behaviors or configurations that potentially harm the organization.
Today, many organizations find that the majority of their security alerts are false positives. Investigating these false positives not increases security operating budgets, it also prevents analysts from reviewing the alerts that matter. What proportion of your alerts are false positives? What kind of accuracy or value do your alerts carry?
For many, the situation is that they are flooded by the sheer number of daily alerts they receive and consider most of them to be false positives. Common thinking is that there are too many alerts to triage, but it really doesn’t matter too much because most of them are false positives anyway. While this justification is understandable, it is also troubling. Somewhere in the large number of untouched alerts may be a vital indication that an attacker is at work in your network.
For years, security vendors have produced tools and systems whose excessive alerts and lack of accuracy has been overlooked by customers. Now, with the mounting issues of network attacks, the shortage of security professionals and the need to enable new digital initiatives for the corporation, the tolerance for excessive alerts and low accuracy is waning.
According to one Ponemon report, over half of a security professional’s time may be wasted due to the low efficiency and accuracy of security alerts. At a time when there is a premium on a security professional’s time, the situation becomes intolerable.
Here’s an infographic that highlights the issue. Determine how much money your company spends triaging security alerts—including false positives— with the SOC OPEX calculator. Moreover, consider the question: do you know if there is an active attacker in your network? How can you tell? What is your level of confidence? With your own assessment and by addressing these questions, you can start planning to revitalize the way security works in your organization.