Why Cybersecurity Is More Difficult Today Than 2 Years Ago
By The Recorded Future Team on February 27, 2018
- Research from analyst group ESG says a majority of cybersecurity professionals have found their jobs becoming more difficult over the last two years.
- They identify three main reasons: the dangerous threat landscape, the growing number of alerts they must respond to and prioritize, and a shortage in skilled employees — not because fewer people are entering the industry, but because the need has grown so quickly.
- A threat intelligence solution does not inherently solve these difficulties. To be effective, it should have a few key features; it should draw on a growing assortment of data, have a central management and analysis portal, be customizable to meet the unique use cases of your organization, implement advanced analytics algorithms, integrate well with the technology you already use, and have professional support.
- The future of cybersecurity is not full automation, but a marriage between man and machine.
Rather than waiting with the lights turned off and hoping for the best, organizations are increasingly recognizing the value of taking proactive steps toward building a more secure network and identifying cyber threats, building security operations centers, purchasing threat detection technologies, and creating cyber threat intelligence programs that incorporate threat data feeds and help to identify and prevent attacks before they happen. Recent research produced by ESG, a technology consulting group, shows that although about 38 percent of organizations have now had a cyber threat intelligence program in place for between two and five years, many of those organizations still struggle to act upon threat intelligence quickly and consistently.
In fact, among the cybersecurity professionals that ESG surveyed, nearly three quarters said that their work had become more difficult over the past two years. Even in an ideal scenario, the work of a security analyst demands focus and expertise, as well as comfort with ambiguity and incomplete information. But as the need for knowledgeable cybersecurity professionals rapidly grows in a world that increasingly relies on digital systems to function, one thing has become clear: the work simply does not scale.
Why the Work Is Harder
The professionals surveyed by ESG identified three broad challenges that contributed to the sense that their work had grown harder in the past two years:
- The dangerous threat landscape. Many of the largest and most damaging cyberattacks in the past few years have been state sponsored — attacks being carried out by teams that literally have the resources and training of an entire government at their disposal. But even attacks that come from private sources have grown in sophistication in recent times. Threat actors rely not only on new exploits, but also social engineering attacks, which presents a growing concern in an era where we happily share significant parts of our lives on the internet without a degree of caution about what personal information can be taken advantage of by those who can do us harm.
- The growing volume of security alerts. Many organizations build their cyber threat intelligence programs on top of various other tools and continue to rely on manual processes to capture and interpret data. As the amount of data grows, tasks like these can become exhausting and overwhelming for security analysts — so much so that less than half of threat responders say they even relied on threat data when taking action, and only about a quarter said they used that data effectively. Too many alerts without context leads to problems like false positives and missed alerts. As an organization grows, the number of alerts should, reasonably, also be expected to grow, but it happens at a scale too great for humans to handle on their own.
- The cybersecurity skills shortage. Perhaps the largest issue for organizations that are scaling up but still rely heavily on manual processes for their cybersecurity programs is a lack of manpower. ESG’s research indicates that over half of organizations believe they have a “problematic shortage” of skilled professionals, leading to an increasing workload for the current staff, junior employees being hired for positions that demand experience, and too much time spent on crisis remediation rather than training (some two thirds of professionals say they are too busy to keep up with skills development and training). This has created such a large demand for skilled professionals that one study found nearly half of all cybersecurity professionals were solicited to consider a new job at least once a week. In some industries, like healthcare, the proportion is closer to two thirds.
Of those three problems, one cannot be directly solved by any one organization: as long as it is profitable for threat actors to carry out attacks, the threat landscape will continue to grow increasingly dangerous. But the problem of a shortage of skills in the industry, as well as the growing number of alerts, can both be mitigated through the use of automated threat intelligence solutions.
As long as they continue to process and analyze threat feeds manually, there will never be enough trained professionals to deal with the volume of data that analysts must deal with today. Instead, ESG advises that analysts should rely on threat intelligence solutions that have the following features:
They draw on a growing assortment of data.
Many threat data feeds are free and publicly available — but they also only draw on publicly available sources themselves. Public data provides only a limited perspective. Threat intelligence solutions should also source from commercial and industry threat feeds, other closed sources like forums on the dark web, reports, and more. It is also important that they seamlessly integrate this data with your organization’s internal data and intelligence.
They have a central management and analysis portal.
A threat intelligence solution should turn this data into something applicable for multiple use cases within your organization — something that not only security analysts but threat hunters, incident responders, risk managers, and so on, can quickly apply to their needs. That takes technology that can take raw data and provide context through comparison to previous sets of data and keep it all in one place so that the different teams in your organization can communicate more easily.
They are customizable.
When each organization’s needs are different and use cases within an organization can vary, it becomes important to be able to filter, sort, share, and add custom notes to the same threat intelligence. A threat intelligence solution should be able to have things like whitelists, blacklists, and risk scores that are relevant to the work your organization does, rather than derived from a more general list of threats.
They are powered by advanced analytics.
Threat intelligence solutions should automate processes that are scaling faster than humans can keep up with — namely, the collection and filtering of data. Advanced solutions rely on natural language processing and vertical search algorithms to get the right data and present it in a way that cuts down the number of false positives and prioritizes the alerts that actually matter.
They integrate well with other technologies.
One of the reasons that security analysts continue to be overworked is because their cybersecurity platforms are built piecemeal from technologies that do not always work well together. Threat intelligence solutions should integrate with security information and event management (SIEM) tools, incident response platforms, trouble ticketing systems, and the other aspects of a network’s security infrastructure, like firewalls, web threat gateways, and so on.
They are supported by skilled services.
Ultimately, threat intelligence analysis is a skill that demands a level of expertise beyond what many organizations have, or else skilled professionals would not be in such high demand. Many threat intelligence vendors provide not only automated solutions, but also skilled support staff that are able to provide expert human analysis as well.
Playing Centaur Chess
Automation is not a panacea. The future of threat intelligence is not one of man versus machine — rather, the most effective team is one that pairs humans with machines, playing on the strengths of both.
This truth has already been realized in many fields — for example, the strongest chess “player” is not a machine (and since 1997, when IBM’s Deep Blue supercomputer defeated world champion Garry Kasparov, it hasn’t been a human), but a man-machine combination. Chess experts have found that this pairing, which combines a human’s intuition, ability to read an opponent, and creative inspiration, with a computer’s brute-force ability to memorize and predict moves countless turns in advance, produces the strongest results. This format, called “freestyle” or sometimes “centaur chess,” allows even amateur players — assisted by computers — to compete with chess grandmasters. But it also makes a professional into an even more formidable opponent. In fact, Garry Kasparov was among the first to advocate for this new style of play.
The lessons from freestyle chess are broadly applicable to any field where artificial intelligence is useful. Automated data collection, filtering, and sorting allows less experienced cybersecurity professionals to spend more time building their skills instead of exhausting themselves working on laborious processes, and the extra information they are provided will reduce the amount of guesswork they have to do. And for members of your organization with more experience, automation will give them the freedom to focus on more skill-intensive pursuits like threat hunting and deeper analysis.
A well-functioning threat intelligence solution will give cybersecurity professionals the ability to see countless moves ahead; the organizations without such a solution, by contrast, are playing blindfolded.
To learn more about how to make your role in cybersecurity easier, not harder, download your copy of ESG’s “Operationalizing Threat Intelligence With a Complete Solution.”