Page 72 - Cyber Warnings
P. 72
Adding Efficiency to Security
By Dave Thompson, Senior Director, Product Management, LightCyber
The words “operational efficiency” and “security” are generally not commonly used together. I’m
amazed that after 20 years in the networking/network security industry, vendors get away with
hyperbolic messaging in the place of substantive objective evidence of value. A fundamental
problem for measuring an organization’s operational security effectiveness is the industry’s lack
of a metrics to define what “success” looks like. Simply put, how much time and resources
should be spent on security, and how do you measure operational success?
Despite the fact that IT security product spending has grown rapidly to nearly $30 billion dollars
in spending per year, industry vendors haven’t been held accountable to justify the costs of new
security solutions. The result is that security practitioners are left with expensive solutions that
are not proven to help them achieve their mandate – to provide effective protection of critical
infrastructure, and to rapidly detect and respond to intruders that get in. As a result, security
practitioners generally feel overwhelmed and underappreciated, and that has to change.
One of the primary challenges for the security industry, is the overwhelming and growing
volume of alerts coming from the growing volume of incumbent security solutions (IDS,
Sandbox, SIEM, or otherwise). The staggering volume of alerts wastes time and resources
spent triaging and researching the predominant volume of false positives. Increased staffing has
become challenging, with a worldwide shortage of a million security professionals. At the same
time, organizations have limited budgets and couldn’t continue to linearly increase staff to meet
the growing volume of security alerts.
How does a security operator even know where to start with that level of alerts, especially
considering that a large majority of these are false-positives? Today, two-thirds of the security
staff’s time is wasted due to the gross inefficiency of their tools, according to the Ponemon
study, and only 4% of all alerts can generally be investigated. There is a likelihood that several
of the 96% of those ignored alerts may convey something important. These kinds of statistics
would be completely unacceptable in other parts of IT industry. Even major league baseball
would be appalled by such averages!
The flood of alerts overwhelm security organizations, making it nearly impossible to spot
anything that is truly representative of a real network attack.In short, the overwhelming majority
of security tools purchased today are primarily focused on detecting the evidence of malware
based upon some static definition of an attack, such as a signature, hash, domain, determined
list of software behaviors, etc. These systems have obvious operational benefits, but also some
serious shortcomings that must be addressed to achieve acceptable operational efficiency.
First, since the overwhelming majority of malware that is seen (in email, at the perimeter, et al)
does not actually “detonate” on a vulnerable host, it is not operationally relevant to the security
72 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
