After years of the IT team banging their heads against the wall, the sheer volume of hacks and data breaches hitting the headlines on an almost daily basis has finally forced senior executives to sit up and take notice. It became undeniable that every organization was at risk of a breach and that a successful attack could result in significant financial and reputational damage.
As a result, businesses invested in a wealth of tools and solutions in an attempt to protect themselves against each and every type of attack. However, we are beginning to see a shift in the market as CISOs and security managers are moving away from buying ever more solutions and are instead focusing on consolidation and simplification of their security stacks.
The correlation between single-point solutions and false positives
Today, when a CISO joins a new company, they inherit a portfolio of solutions that generate more noise than a security team could possibly manage.
The first generation of security tools were single point solutions, protecting a single vector. To protect themselves from a critical attack, organizations were required to procure dozens of these, and roughly stitch them together to create a patchwork of solutions that would protect their business and employees.
As many solutions of this type make decisions based on a single point of intelligence, they tend to err on the side of caution, raising an alert each time they notice something unusual. However, without any degree of certainty that what they’ve seen is actually malicious, many of the alerts raised will be false positives.
The result, is more security alerts than even the most comprehensive security team could ever hope to investigate, which is detrimental to both the security of the organization - as true threats become a needle in a haystack - and to the job quality of those charged with investigating alerts.
By way of illustration, a typical business will employ somewhere between 10 and 50 different security tools. Between them, these will create an average of 17,000 alerts each week, to which security teams will have to react. Only 16% of these alerts are considered reliable, however; investigating this huge volume of false positives can take up to 21,000 hours, costing the average organization around £1 million a year.
The task of investigating alerts is especially complicated by the fact that, with single point solutions, the data is often siloed within the solution and cannot be cross referenced or easily extracted. There’s no doubt that the patchwork approach to protection was better than no protection at all. But times have changed, and CISOs are now looking to find a way to turn down the noise, and improve the efficiency of their overall security posture.
Rationalizing cybersecurity
Organizations are now working towards rationalizing their security solutions - cutting down to those that can give credible information and context to attacks. This means that the economics of security is changing. Single point products are no longer in vogue, instead organizations want fewer solutions and will prioritize ones that reduce the noise, and help analysts identify true threats.
For what it is worth, we believe the industry will consolidate down into three core layers. A good log collection and aggregation layer, a good Identity and Access Management layer and a cyber threat detection and response layer. The cyber threat detection and response layer must be able to access every layer of the technology stack to conduct cyber threat detection and autonomous response.
The greater level of accuracy delivered by this three-pronged approach means that CISOs and their security teams will face fewer false positive alerts, allowing them to dedicate more time to tackling real threats before they become a problem.
When it comes to stopping cyber-attacks as they grow in both number and sophistication, less is more. More security solutions just lead to more noise, overwhelming the analysts charged with protecting an organization. In an increasingly chaotic environment, simplification and consolidation is the best means of delivering greater efficiency, greater accuracy, and greater overall security.