The following is an excerpt from our recently published whitepaper, “Is ‘One-Click Remediation’ Intentionally Misleading SOC Teams?,” in which we discuss the misleading “one-click remediation” claims that many cybersecurity tool vendors are using in the marketplace.
False Narratives in the Cybersecurity Tools Market
Mature cyber security teams understand a harsh reality often ignored by legacy cyber tools vendors: correlation must not be confused with causation.
Ponemon Institute’s 2020 study showed an average of 80% of successful cyber attacks in 2019 utilized techniques purposefully designed to thwart traditional rule, threshold, and signature based systems. To combat this new reality, an effective cybersecurity system must be able to provide details about what happened before, during, and after the anomaly or control violation in a context that is descriptive and easily understood by security analysts and business users alike.
With appropriate context, supporting details, and insight across and including (but not limited to) log, network, cloud, user, and API data, informed, automated, accurate remediation can be derived. Absent those additive details, and dependent exclusively on traditional rule or signature violations, “one-click” remediation is impossible and dangerous.
Want further evidence that automated remediation promises are falsely inflated by the vendors themselves? Look no further than the vast investment in technology, operations, and human operators deployed by companies like Twitter and Facebook to manage inappropriate users.
Have technology and supporting human resource investments proven effective in “automatically” determining who, when, and most importantly, why an account or user should be blocked or terminated? The results have been polarizing at best even with Facebook and Twitter’s unfiltered access to enormous volumes of data, huge teams of machine learning experts assigned to every “flagged account”, and open acknowledgement that significant additive investment is required.
Despite these very public shortcomings, the ultimate goal of providing automated detection, remediation, and prevention specifically for novel and zero-day attacks remains a priority for most cybersecurity organizations.