Running on empty: why security teams are facing cyber-fatigue

(Image credit: Image Credit: Den Rise / Shutterstock)

Usually, competition between products works to the benefit of an industry. Each competing vendor is spurred on to innovate, ultimately driving the market forward and, in theory at least, delivering the best overall output to customers. However, the security industry is at the point of saturation, and currently struggling to cope with the sheer volume of point products at its disposal. There are more than 1,800 security vendors in the US alone, with an average of nine new vendors emerging each month. When you take into account the vendors in Europe, Israel and other parts of the world, this total rises to nearer to 3,000.

Yet, despite the vast number of products to choose from, almost all address only a limited subset of security issues. The cybersecurity market has become swamped with products, which just aren’t doing enough to individually cover the spectrum of potential threats.

As a result of this, even highly experienced security professionals are baffled by what many vendors’ solutions actually do, which ones they need, and how to differentiate between them. All of these problems come before they even begin to approach implementation and management of the products they decide to use, highlighting just how complicated the process has become.

More products, more problems

The increasing volume of security products has not only increased the cost and complexity of the security ecosystem, it has simultaneously degraded overall security, agility and – ultimately – efficiency.

Every security product generates multiple alerts every day. The average enterprise uses between 25 and 30 security products, due to the previously mentioned issue of each product only addressing part of the threat spectrum. This range of products can produce a total of more than 500 SOC alerts in one day. Considering that a single analyst can only handle around 10 of these, there is a glaringly obvious imbalance which needs to be addressed. In fact, research has revealed that analysts are only able to investigate four per cent of the alerts that they receive. These figures make it clear that dealing with all of these alerts is not just overwhelming, but simply unmanageable. Security teams are being left with no time for proactive threat-hunting, or searching for indicators of compromise. Therefore, it is unsurprising that genuine threats are slipping through the net every single day.

Even larger enterprises - which may use up to 100 security products - can’t cope with the endless stream of alerts they are being bombarded with, despite having more resources. Due to the rapidly escalating skills gap in the cybersecurity industry, it isn’t a viable option for these organisations to fund exponential growth of their security teams. Recent figures suggest that there could be as many as 3.5 million vacant positions in the industry by 2021, meaning that this problem is only going to intensify. With larger businesses struggling to stem the flow of alerts, the situation is looking increasingly bleak for smaller enterprises.

Unsurprisingly, the security industry’s response to this problem was to introduce even more point products in the form of SIM/SEM - or SIEM - solutions. Instead of handing control back to security operations staff by generating meaningful actionable alerts, this additional layer has actually plunged organisations into deeper cybersecurity chaos. Many face a constant struggle to extract value from their SIM/SEM deployment, creating - you guessed it - more alerts for security professionals to sift through and analyse. 

Thinking outside the black box

Integrating a company’s security products seems like the most logical solution but, unfortunately, with point products this is problematic, because each one is essentially a security black box. Security teams are, therefore being forced to observe multiple admin interfaces and dashboards in order to attempt to keep their organisations secure, which is creating a huge drain on efficiency. Understandably perhaps, there’s a deep-rooted reluctance for individual vendors to open up their products to enable a fully automated response. Some argue this makes them less secure or more susceptible to attack but, whatever the reason, the vendors’ black boxes remain firmly closed.

Yet, it’s clear that security vendors need to alter their methods, as this current black box approach is consistently failing security teams. New products should be interoperable, protecting different threat vectors, such as email, web, cloud and multi-factor authentication, simultaneously.

Integration and autonomy is the answer

It is now evident that papering over the cracks left by point products with more management layers is creating more problems rather than solutions. Simply put, a properly integrated, autonomous security response is needed - one that prevents attacks before they even occur. Once all security products are integrated within a single platform, there will no longer be a barrier to sharing and exchanging short term security data on users, user actions, devices and content.

Theoretically, this would mean any single product could intervene autonomously based on information collected by other products. If integrated security products become proactive rather than reactive, cyberattacks will be prevented automatically.

As a result, organisations could be lead from the current overwhelming sea of alerts, to the greener grass of low risk, low cost and limited liability.

Richard Walters, CTO, Censornet