Without question, there’s an acute shortage of cybersecurity talent, with approximately 1 million open cybersecurity jobs in the world today.
The age-old cure for any skills shortage is to outsource and make staffing someone else’s problem. In the cybersecurity market, this means turning to security service providers to augment or replace internal security functions. Considering today’s challenges, it’s not surprising that event analysis and investigation is one of the prime areas of outsourcing for enterprise security organizations.
While outsourcing this function certainly shifts the burden of hiring onto the service provider, security remains a shared function.
Recall the Target breach, where an outsourced team in India successfully identified the attack, but sent the information to the client as one of hundreds of routine “malware.binary” alerts, causing the internal security team to overlook the threat. Even though the outsourced team caught the threat, they still included so many other similar-yet-not-important events that Target’s internal team could not discern the catastrophic from the trivial. Did the outsourced team do its job? Technically, yes, but practically, no—the client was breached.
In a world where security incident response teams are inundated by alerts, most of which are unremarkable, it is unreasonable to expect humans to separate the needle from the haystack with anything approaching a high degree of proficiency. We call this “alert tyranny,” where managed security service provider (MSSP) business models are autocratically determined by the need to process alerts.
For MSSPs, the stakes of the game are high. Their entire business is predicated on keeping clients secure. Every alert ignored is a potential lost client and a damaged reputation, meaning increasing headcount may be their only option to match the ever-growing flood of alerts. Increasing headcount amounts to serious money that cannot be invested in other parts of the business.
Automation—particularly security orchestration systems—has been cited as a solution to help rescue beleaguered incident response teams and curb headcount growth. However, when it comes to alert overload, automation is not solving the problem. Instead, it is magnifying the inefficiency.
Processing more “non-events” does not enable SOC operators to break out of alert tyranny, because humans must perform the analysis and investigation. As a result, automation simply increases the velocity of nonproductive activity, and alert tyranny remains in power.
Here are some ways you can address these issues.
- Dramatically reduce the number of pointless alerts people must analyze. This would not only decrease headcount requirements; it would also make security orchestration systems more effective, since actual threats could be introduced to the orchestration system with much greater accuracy and speed.
- Challenge the paradigm that all events received by the platform are good until matched against a correlation rule. Assume all events are bad until proven otherwise. Most security events are false positives or redundant security alerts. Analysts should only investigate these types of events once, then create dynamic rules to automatically triage events the next time it occurs.
- Apply Zero Trust to your security architecture and firewalls, and focus on security events using supervised machine learning, in which every unknown security event is investigated every time.
Addressing alert tyranny will help reduce the need for additional headcount. Leveraging technology that applies zero trust to your security protocols is the most effective way to reduce alerts – alleviating the pressure to add cybersecurity professionals to your team.
For reprint and licensing requests for this article, click here.