Security Alerts: Yes, that smell is a frog that is boiling.
We have all heard the story of the frog that you place in a pot of water, and turn up the heat. The frog doesn’t realize it is getting warm and eventually boils to death. There is no recognition of the gradual increase in heat.
Does the security industry realize that it is facing a massive personnel problem that is getting bigger every day and (to stick with the metaphor) and will soon, “boil over”?
Do they realize that this chasm is creating risks that are brutal and unsustainable?
Well, yes, the industry realizes this, in part. Just take a look at this Tech Crunch article posted about a week ago: The lack of cybersecurity talent is ‘a national security threat,’ says DHS official.
Is this a national security threat, really? Or is this an overstatement. We would argue that it is 100% true and the problem gets bigger by the day. There is a great deal of data to support these problems. (McAfee and Ponemon data around open analyst positions and also around data for alert volumes and false positives. Zero day alert increases.)
We recently wrote about this in a blog.
“Close to half of security analyst teams battle false positive rates of 50% or higher from their security tooling. Meantime, another report from the Ponemon Institute shows that as much as 25% of a security analyst’s time is spent chasing false positives—sifting through erroneous security alerts or false indicators of confidence—before being able to tackle real findings.Via Bitdefender.com
Despite the evidence of these problems, the industry is not moving very quickly to solve them.
Why? The answer is simple: Money.
When it comes to security products and toolsets, there is a lot of money changing hands every year – $125 billion in 2018 alone. No one really wants to talk about the fact that most security products are rules-based systems that may check a box for compliance but do not deliver intelligent, actionable data.
One thing they surely do deliver is a mountain of alerts that your CISO will have to hire someone to review. As one security professional told us recently: “All security products are dumb alerting systems.” These rules-based-systems are, by definition, not able to keep up with the changing and dynamic threat landscape.
So how can technology help? Unsupervised, third-wave AI can solve a couple of things.
Supervised, rules-based Machine Learning, although sometimes helpful, is not the solution the industry needs.
Supervised, or “rules-based AI” solutions not only will be ineffective in solving the problem of false positives, but in some cases, they present more problems of their own. Because Supervised AI systems require constant human training and tuning — and can take 6-24 months to become fully effective — they further stretch the limited resources security teams have available. These platforms also present a significant risk by exposing customers to new breaches because the data used to train them can be used adversarially against them.
The frog is getting warm. Very, very few companies are approaching the exploding alerts problem with a viable solution.