Threat Information Overload is Overwhelming Security Analysts

Cyberthreats have come a long way since 1988, when Robert Tappan Morris released the first computer worm via the Internet. These days, threats are not only far more sinister, they are sophisticated and ubiquitous. And, as the recent White House security breach demonstrated, no organization is secure.

May 19, 2015

4 Min Read
Threat Information Overload is Overwhelming Security Analysts

By Peter Woollacott 1

Cyberthreats have come a long way since 1988, when Robert Tappan Morris released the first computer worm via the Internet. These days, threats not only are far more sinister, they also are sophisticated and ubiquitous. And, as the recent White House security breach demonstrated, no organization is secure.

Preventing attacks has proven to be nearly impossible, so the security industry’s focus is turning to improved detection and response to attacks that have already occurred. This has spawned a plethora of detection and analysis technologies, but these have created a new dilemma: Security operations teams are now flooded with massive amounts of threat intelligence, and there are not nearly enough qualified personnel to keep up with this deluge of data.

This situation is compounded by the fact that accurate security decisions require all relevant information to be aggregated and interpreted, yet threat information continues to be gathered within isolated silos and so is not easy to correlate as a result. Consequently, the analysis of threat information becomes a painstaking, time-consuming, manual and very expensive process. Just ask any security analyst.

Ponemon Institute's 2014 Global Report on the Cost of Cyber Crime revealed that it takes an average of 170 days from cyber infection to detection. That means organizations remain at risk for up to six months because current technologies simply can’t manage and interpret the avalanche of often very important data that is generated daily. In this environment, it is impossible for analysts to make rapid security decisions. This inability to deal with the information overload is characterized in Verizon’s 2015 Data Breach Investigations Report, where it observes that "99.9 percent of the exploited vulnerabilities had been compromised more than a year after the associated CVE (Common Vulnerability and Exposures) was published."

In a recent discussion I had with MSSP Datacom TSS, I was told, "It can take more than 600 hours to collect and triage the mountain of information necessary to resolve just a single complex incident.” By that time it could be too late to prevent loss.

Some of the world’s biggest consulting firms are trying to tackle the threat epidemic head on. For example, there’s industry talk of the Big 4—PwC, Ernst & Young, Deloitte and KPMG—each hiring more than 5,000 security engineers in the near future. Also, according to the U.S. Department of Labor, growth in cybersecurity analyst jobs is rising “much faster than average,” with a predicted increase of 37 percent through 2022. If these trends hold true, there will continue be a deficit of these highly skilled personnel for some time to come.

So, throwing more personnel at the problem is not sustainable, nor is the acquisition of more technologies that demand these levels of resourcing. There are simply not enough experts—with the knowledge and analytic skills necessary to meet the increasing demand—to go around.

Compounding the issue is the evolution of cyberattacks from opportunistic threats to more targeted techniques and quarry. Today, attackers target specific networks and individuals for very specific purposes, using guile and persistence to infiltrate a system—where they sometimes linger, as the figures above suggest, for months (or years) before revealing a malicious presence.

Detection solutions developed to combat known threats are unequipped to detect malware designed to evade today’s security protection systems. This means that security analysts today are either oblivious to these types of stealth attacks or, alternatively, with the deployment of multiple threat detection technologies, or deluged with so many pings and warnings they cannot manually determine the prioritization of threats fast enough to manage the time at risk for an organization.

Because time is of the essence in addressing security breaches, relying on manual processes and limited human resources adversely impacts an organization’s time-to-resolution. Organizations must therefore augment their security systems with automated threat management solutions that aggregate these threat information silos to connect network and endpoint solutions with automated routine analyses to detect, evaluate and verify threats from a single screen.

Merely throwing expert personnel at the issue of increasing security risk is a non-sustainable approach. This could turn out to be a great decade to be a CSO, but without applying advanced automated analytics to the issue of security forensics and improving time-to-resolution, security threat managers will have little impact on the enterprises they are charged with protecting.

Peter Woollacott is founder and CEO of Huntsman Security, which recently launched in the United States, and its parent company, Tier-3, in Australia. He is an expert in cyber risk and security solutions.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like