Dark Reading published an interesting story earlier this week entitled Ten Obstacles that Prevent Security Pros from Doing their Jobs. None of the obstacles is particularly surprising – mostly the same ones we’ve been dealing with for years, such as lack of budget, etc. What is striking about the list is that six of the 10 obstacles are directly related to security investigations. And, even for “lack of budget,” threat hunting is cited as a prime area where investment is lacking.
For those keeping score at home, that means a full 70% of the top 10 security obstacles are investigations-related.
The three obstacles that didn’t really apply to security investigations? They’re all organizational obstacles: Out-of-whack reporting structures (the old “why does the CISO report to the CIO” issue), meeting mania (no definition required), and poor collaborative processes (security team working with other teams in the organization).
We’ve already touched on “lack of budget.” Let’s take a look at how the others are primarily obstacles to the threat investigation process – both reactive investigations for incident validation and response, and proactive investigations for threat hunting:
- Not enough staff: We’ve all seen the estimates relating to the cybersecurity skills shortage. Depending on who’s doing the estimating, it falls around 3.5 million open positions worldwide. This problem is especially acute among analysts in the SOC since it is difficult to find and hire staff, the ramp up time is long, the ongoing training investment is significant, senior staff is very expensive, and manual processes are exhausting.
- Burnout: It stands to reason that a chronic shortage of personnel would cause chronic burnout among people working in that profession. This is especially pronounced among SOC analysts, where manual processes abound and alert overload has become such a problem that 35% of analysts admit to ignoring alerts once their queue is full, according to an IDC/FireEye survey.
- Lack of Visibility: Visibility was already challenging when all systems and security were on premises. Today, with hybrid cloud environments the norm and the “tool bloat” problem more inflated than ever, the problem has been compounded exponentially. Conducting a security investigation with only partial visibility into systems and tools is like trying to repair your car when you can only access one-third of the engine.
- Dashboard Fatigue: According to research by Forrester Consulting and IBM, the typical organization’s cybersecurity ecosystem has 25 disparate security products and services from 13 different vendors. Overloaded analysts are required to log into multiple tools for an investigation, and there’s no guarantee they’ll even know how to use them all or make sense of everything coming out of them.
- All-Consuming Firefighting: This isn’t a bad job description for a tier 1 security analyst. In fact, the previous obstacles all contribute to this single obstacle.
- Compliance and Reporting Runaround: Admittedly, this applies to a range of cybersecurity positions, but at the end of the day, it’s the analyst who pieces together and documents security events for compliance reporting.
What can change all this?
It would help if your team could more quickly and easily make sense of the mountains of information across your security ecosystem. You’d alleviate a lot of stress on your team by enabling them to manage investigations across multiple technologies with a single unified browser. It would be a dream if you could hire and get your security operations staff up to speed in a fraction of the time it currently takes. These capabilities are here today, which means these obstacles aren’t an endemic disease; they’re a choice to “keep doing things the way we’ve always done them.”
The choice is yours.