Reducing alert overload by integrating zero-trust technology as part of your security posture can help solve the headcount problem.
Without question, there’s an acute shortage of cybersecurity talent. Depending on whose numbers you believe, there’s something along the lines of 1 million open cybersecurity jobs in the world today. Gartner analyst Earl Perkins summarizes the problem best: there is a 0% unemployment rate in cybersecurity.
According to a survey conducted by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA), 33% of respondents said their biggest shortage of cybersecurity skills is in security analysis and investigations. Additional ESG research found that 54% of survey respondents believe their cybersecurity analytics and operations skill levels are inappropriate, and 57% feel they’re undermanned and underskilled in cybersecurity analytics and operations.
The age-old cure for any skills shortage is to outsource and make staffing someone else’s headache. In the cybersecurity market, this means turning to security service providers to augment or replace internal security functions. Considering the challenges above, it’s not surprising that event analysis and investigation is one of the prime areas of outsourcing for enterprise security organizations.
While outsourcing this function certainly shifts the burden of hiring onto the service provider, security remains a shared function. Recall the Target breach, where an outsourced team in India successfully identified the attack but sent the information to the client as one of the hundreds of routine “malware.binary” alerts, causing the internal security team to overlook the threat. Even though the outsourced team caught the threat, they still included so many other similar-yet-not-important events that the Target internal team could not discern the catastrophic from the trivial. Did the outsourced team do its job? Technically, yes, but practically, no – the client was breached.
Overcoming “alert tyranny” to reduce headcount
In a world where security incident response teams are inundated by alerts, most of which are unremarkable, it is unreasonable to expect humans to separate the needle from the haystack with anything approaching a high degree of proficiency. We call this “alert tyranny,” where MSSP business models are autocratically determined by the need to process alerts. For MSSPs, the stakes of the game are high. Their entire business is predicated on keeping clients secure. Every alert ignored is a potentially lost client and a damaged reputation, so their only option is to increase headcount to match the ever-growing flood of alerts. This headcount amounts to serious money that cannot be invested in other parts of the business.
Automation – particularly security orchestration systems — has been cited as a solution to help rescue beleaguered incident response teams and curb headcount growth. However, when it comes to alert overload, automation is not solving the problem. Instead, it is magnifying the inefficiency. Processing more “non-events” does not enable SOC operators to break out of alert tyranny because humans must perform the analysis and investigation. As a result, automation simply increases the velocity of nonproductive activity, and alert tyranny remains in power.
Here are some ways you can address these issues:
- Dramatically reduce the number of pointless alerts people must analyze. This would not only decrease headcount requirements; it would also make security orchestration systems more effective since actual threats could be introduced to the orchestration system with much greater accuracy and speed.
- Challenge the paradigm that all events received by the platform are good until matched against a correlation rule. Assume all events are bad until proven otherwise. Most security events are false positives or redundant security alerts. Analysts should only investigate these types of events once, then create dynamic rules to automatically triage events the next time it occurs.
- Apply Zero Trust to your security architecture and firewalls, and focus on security events using supervised machine learning, in which every unknown security event is investigated every time.
Addressing alert tyranny will help reduce the need for additional headcount. Leveraging technology that applies zero trust to your security protocols is the most effective way to reduce alerts – alleviating the pressure to add cybersecurity professionals to your team.
By Alin Srivastava, VP of MDR Sales for CRITICALSTART
July 25, 2019