Information Security / Too much of a good thing? Security teams are overcome by alerts
Too much of a good thing? Security teams are overcome by alerts
17 April 2019
There is a big problem facing the cyber-security industry right now – there are too many security products.
The cyber-security market sector has become over saturated with cyber-security products. At the last count there were more than 1,800 security vendors in the US alone, with an average of nine new vendors appearing every month. Add vendors in Europe, Israel and other parts of the world and the total number is near to 3,000.
Unpicking the problem
The problem lies in the fact that, despite there being such a high number of point product vendors, almost all of them address only a small area of the overall threat spectrum. Because of this, the sector is experiencing product chaos. Even highly experienced security professionals are unsure what many vendors’ solutions actually do, which ones they need, and how to differentiate between them; let alone how to implement and manage them when they have finally made a decision.
As most security products only address a limited subset of threats, organisations are forced to use multiple products in order to ensure they stay protected. The average enterprise uses between 25 and 30 security products, with this number rising to up to 100 for bigger organisations. The list of deployed solutions began with firewalls, VPNs, IDS/IPS, web and email content security, and gateway and endpoint AV, and has grown exponentially since then.
Drowning in alerts
Each security product creates multiple security alerts every day. To put into perspective just how unmanageable the volume of alerts currently is, research has revealed that 92 per cent of organisations receive more than 500 SOC alerts every day, with only 4 per cent of alerts being investigated by analysts. Security teams have become overwhelmed by security alerts, and presented with the challenge of how to decipher which of the hundreds are worth investigating. It is unsurprising that genuine threats are slipping through the net.
Therefore, this increasing volume of security products has not only increased the cost and complexity of the security ecosystem, it has simultaneously decreased its overall agility and effectiveness.
As each point product is essentially a security black box, integration is difficult. Security teams are having to monitor separate admin interfaces and dashboards, which creates a huge drain on efficiency.
Rather predictably, the security industry’s answer to integrating point products was to add yet more point products in the form of SIM/SEM – or SIEM – solutions. This additional layer promised to put security operations staff back in control by generating meaningful actionable alerts, but has instead brought its own set of problems. Many organisations struggle to extract value from their SIM/SEM deployment, and instead just have yet more alerts to attempt to investigate and analyse.
What is the solution?
Simply put, the security industry needs to stop adding yet more management layers, and instead define a properly integrated, automated approach that actually provides a solution rather than adding to this list of problems. Security vendors need to move away from the current black box approach, and make products which protect different threat vectors – for example, email, web, cloud and multi-factor authentication – interoperable.
This kind of connection between products will be accelerated in the near future by the deployment of intelligent adaptive automated solutions. These solutions will automatically cross-reference alerts, joining the dots between security products. This allows for automated threat prevention and response, to ultimately enhance security posture and reduce alert overload.
Once all security products are integrated within a single platform, there will no longer be a barrier up against sharing and exchanging short term security data on users, user actions, devices and content. This will mean that any single product could, in theory, automatically take actions based on observations drawn from other products. Shifting integrated security products from reactive to proactive will enable cyber attacks to be prevented automatically.
To read more about the alert overload issue the cyber-security sector is facing, and how “really, truly, fully automated cyber security” might just be about to become a reality, click here.
by Richard Walters, CTO, Censornet