Thousands of tools to choose from, but nearly half of security alerts go uninvestigated. Feel familiar?Hunters are fond of saying, “there’s no such thing as bad weather, only bad gear.” Essentially, if you have the right tool, no challenge is insurmountable. The cybersecurity industry agrees, it would seem, considering 72% of CISOs say they favor buying best-of-breed solutions over integrated ones because they are better suited to specific needs. With all due respect to hunters, when it comes to cybersecurity, the right tools are only half the story.
According to the 2018 Annual Cybersecurity Report published yesterday by Cisco, 41% of organizations are using technologies and services from as many as 50 different vendors. Let that sink in for a minute. As many as 50 different vendors. With numbers like that, it’s easy to see why global spending on cyber security technologies and services is expected to hit $1 trillion by 2021.
Too many tools, not enough peopleWith a broad ecosystem of security tools comes the need for someone to manage them. Adding people is already a well-known challenge, with a predicted 3.5 million unfilled security jobs by 2021. Recruiting skilled talent is exceedingly tough, pitting organizations against each other to battle it out for a small pool of security analysts.
Finding security employees is just as tough as keeping them. In fact, 49% of cybersecurity professionals are solicited by recruiters to consider a new security job at least once per week. This lack of trained personnel will continue to be a significant obstacle for most organizations for the foreseeable future; 27% of CISOs claim it is their largest obstacle to security. The skills shortage makes the need for orchestration of not only the tools, but all of the day-to-day processes in a SOC, even more paramount.
The challenge of orchestrationUnsurprisingly, this proliferation of tools creates orchestration and integration challenges. Cisco’s study found the more technologies a company uses is directly correlated with challenges in orchestrating and managing alerts. Security operations centers blend people, processes and technology to keep organizations safe. How these three components work together ultimately determines the success of any SOC. That’s where security orchestration comes in. This large proliferation of security tools has a downstream effect on the day-to-day operations of the security team. Analysts’ workflow and team processes are affected by the addition of every new tool.
Without orchestration to help teams manage their daily barrage, alerts often slip through the cracks without being investigated. The vast majority of CISOs - 93% - report experiencing security alerts, but an average of 44% of total daily alerts received aren’t investigated. And nearly half of alerts deemed legitimate go unremediated. This leaves organizations highly vulnerable to a breach due to missing or not addressing an incident, despite their security tools triggering an alert.
Defining insanityIt would seem that with the obvious challenges of orchestration, finding talent and an unmanageable load of security alerts that organizations would put security orchestration and automation technologies at the top of their budget lists. However, that doesn’t appear to be the case. Given more budget and more staffing, most organizations prioritize additional protection and detection tools. Tools that will - you guessed it - require more management and generate more alerts for security analysts to investigate and address. Isn’t it weird that we don’t seem to be getting it despite the problems staring us right in the face?
A holistic approachOrganizations of all types must start thinking about security orchestration now. The number of security tools companies use is only going to increase and an end to the skills shortage is nowhere in sight.
In order to make the most of their ecosystem of tools and streamline their internal processes, SOCs should look for solutions that take a holistic approach to orchestration. This means not only integrating the technologies they currently use (and will add in the future), but also bringing together all of the components of your security operations - response, automation, collaboration, reporting - to maximize the effectiveness of your tools and the efficiency of your team.
The right gear is certainly important in today’s ever-changing threat landscape. But to truly stay ahead of cyber threats, organizations must focus on how to make all their various tools work in concert to help, not hinder, the flow of activity of their overall security operations.