There is no denying that we live in an age of efficiency. Gone are the days of 450 television channels. The appeal now is for a more curated experience with a Netflix subscription. The “less is more” strategy may have started as an architectural design concept, but it’s now taking over in all aspects of today’s cultural landscape. In medicine, the health care industry has taken heat for wasteful spending and unnecessary tests that can lead to false positives, so the shift has gone to patient-centered care. Why shouldn’t the same be true for enterprise security? It’s easy to believe that a chief information security officer (CISO) should know about every activity on their network, but this only creates dangerous distractions and busy work that is not always meaningful work. The industry is in need of a different approach to protecting a company’s sensitive data.
Cybersecurity has never been more prominent in the news than it was in 2017. Fifty-five percent of respondents said their organizations had to manage public scrutiny of a breach in the last year, according to Cisco’s recent report (registration required). Colossal breaches made headlines across the globe. This can largely be attributed to a tectonic shift in the nature of adversaries. As hacking tools have become more readily available and malicious activity is now more easily monetized, it’s not a matter of if, but when a data breach will occur.
In order to manage this ever-growing barrage of attacks, many cybersecurity companies have begun implementing artificial intelligence (AI) and machine learning (ML). The problem is, these companies use the number of algorithmic models employed or quantity of anomalies flagged as a metric for success. Flagging anomalies creates noise, which is not only overwhelming for analysts but can also hide the serious threats. For years, the scare tactics used by cybersecurity companies to convince CISOs that “more is better” left security teams wanting as many alerts as possible. Just like consumers used to want as many cable channels as possible, we’ve learned that quantity doesn’t always mean quality.
Networks are very noisy, and most tools are unable to separate the merely anomalous from the truly suspicious. The resulting hodgepodge of excessive alerts has left security teams drowning in false positives and contextless network anomalies. According to Cisco’s 2018 Report, nearly 50% of organizations use anywhere from six to 20 security vendors. The challenge of managing thousands of alerts only increases with the number of vendors. 74% of security professionals said that managing multiple vendor alerts is challenging or very challenging, leaving analysts feeling overworked and underprepared for when they’re hit with a massive data breach.