Even before the COVID-19 pandemic struck the globe in March, security operation teams were already struggling with a seemingly never-ending series of security alerts, as well as a growing number of sophisticated data breaches and other cyber-threats that can harm an organization.
A recent study by Forrester, The 2020 State Of Security Operations, found that nearly 80 percent of organizations had experienced a data breach in the last year, while 50 percent reported that a breach had occurred within the last six months.
All this happens within a backdrop of constant alerts. The Forrester report finds that the average SecOps team receives an estimated 11,000 alerts a day, but only 47 percent of those surveyed were able to address most or all of these daily alerts. The study also notes that about one-third of all alerts to the SecOps team are false positives, while 28 percent of interviewees admitted that some alerts are ignored since analysts struggle to keep up with the pace.
“Alarmingly, only 46 percent of security operations decision makers are satisfied with their current ability to detect threats,” according to the report. “They point to wasted time chasing false leads, poorly integrated security tools, and a large learning curve for effectively using those tools. This leads to low visibility and inefficient workstreams.”
The Forrester report itself is based on 315 interviews conducted with executives and administrators responsible for SecOps or incident response teams at their organizations, including those located in the U.S., the U.K. Germany, France, Australia, New Zealand and Canada.
What’s more important about the study, however, is its timing. The interviews were conducted in April, which meant SecOps teams were only then coming to grips with the shift to work-from-home—both for themselves and their organization’s employees and executives. Since that time, other studies have shown increasing concern about cybersecurity as the remote workforce looks to remain in place well into 2021.
All this added stress on networks and infrastructure is expected to put additional stress on SecOps teams.
“SecOps teams have been inundated since COVID began, as attacks have increased dramatically during this pandemic,” Cody Beers, a technical training manager at WhiteHat Security, which is based in San Jose, told Dice.
At about the same time that Forrester was conducting its survey, Tonya Ugoretz, the deputy assistant director of the FBI’s Cyber Division, told a gathering that the bureau’s Internet Crime Complaint Center had been receiving 3,000 to 4,000 cybersecurity threats each day, compared to the 1,000 daily complaints before the COVID-19 pandemic.
Under Pressure
The Forrester report notes that pressure on SecOps teams is mounting as data breaches become sophisticated and costly. The study suggests that the average breach can now cost an organization upwards of $7 million once the response, notifications, lost productivity, potential legal actions, regulatory fines and other liabilities are all factored in.
“In a review of the Forrester report, the number of companies that had a data breach within the last year is staggering,” Mike Weber, vice president at security consulting firm Coalfire told Dice. “However, the impact of a data breach can range from inconsequential to catastrophic. I would surmise that the vast majority of these are somewhere in between and that these were mostly not life-changing events for these organizations. This shouldn’t reduce the gravity of the report, though.”
At a time when breaches are increasing, SecOp analysts and staff feel overworked, with half of the Forrester survey respondents noting that they struggle to institute additional threat hunting programs to help supplement automated detection capabilities. This means that critical vulnerabilities or cyber threats can go undetected.
“Everybody talks about how core security is to the business. But look inside any business in the world and what you will find is a somewhat lackluster commitment to full cybersecurity support,” said Brandon Hoffman, the CISO of security and cloud firm Netenrich. “The majority of issues faced by organizations could be resolved by proper funding and cultural commitment to security initiatives. Lack of proper tooling, or adoption of purchased tools, and the lack of skilled people are a direct result of the lack of commitment. It is a constant struggle though because security is a cost center from a business perspective.”
ML & AI Skills
While the obvious answer to the problem of overworked SecOps teams is to hire talented and dedicated analysts, this is sometimes not practical. For one, study after study finds that there are simply not enough skilled cybersecurity workers to fill all the roles that are currently open.
“Over 40 percent of IT decision makers noted that they struggle to hire experienced security operations staff and hire enough analysts to manage the workload. At the same time, over a third indicated that as an organization, they struggle to retain good talent,” according to Forrester.
For security experts, this is where those with skills in machine learning and artificial intelligence (A.I.), can make the biggest impact since more aspects of SecOp should be automated. The Forrester study also makes the same point.
“If businesses want to better protect themselves, they need to take advantage of the advanced functionality offered in modern tools, the same technology available to attackers and fully empower their security personnel,” Hoffman told Dice. “Key steps would be to embrace automation to reduce false positives and employee fatigue and to focus on incident response and containment for the most critical functions and data for your organization.”
White Hat’s Cody Beers also agrees that organizations that value those who can implement machine learning and A.I. technologies into cybersecurity can help overcome some of the issues that SecOps teams are facing.
“Using A.I. automation and machine learning can be extremely useful for detecting true threats, and there are also products available today that deliver human-verified results directly to the client,” Beers said. “These types of tools can be integral to ensuring an expedited response to cyber-attacks, as well as reducing the time-to-fix windows for discovered vulnerabilities.”
Weber noted, however, that even with greater use of machine learning, A.I. and automation skills, cybersecurity remains an area that is constantly evolving and threat actors won’t stay still for long.
“Security is a continuous arms race, and there needs to be a formative change in the technologies that enable rapid and accurate responses to attackers supported with high-quality and actionable information,” Weber said. “Perhaps the future will bring A.I.-powered solutions that can anticipate malicious behavior before it happens? One can hold out hope for tomorrow, but as the saying goes, hope is not a strategy.”