Exploits & Vulnerabilities
There's a skills shortage; it's not your real problem
Yes, there is a staffing shortage. But organizations can use automation and a managed detection and response (MDR) capability to handle the volume of events.
During my undergraduate days, I recall hearing that the Bell System was slow to deploy automated dialing. While smaller local phone companies allowed callers to dial a number directly from their phone, the Bell system continues to rely on switchboard operators into the 1930s. In fact, early phones did not have numbers to dial at all – you simply toggled the handset switch and asked the operator, when she came on (female switchboard operators were believed to be more patient and polite than men) she would plug your line into the line of the person you wanted to call.
Smaller phone companies adopted automation to compete profitably – they avoided the cost of the switchboard and the operator by letting people dial their own calls. They traded off the investment in physical infrastructure for the software switch. The Bell companies deferred this transformation to recoup their investment in their installed base of switches and trained operators. It wasn’t until they performed a study of call growth rates that they decided to change. Bell learned that as more people installed telephones and made more calls, by the 1950s every man, woman, and child in North America would have to work as a switchboard operator to deal with the volume. Bell began deploying direct dial numbers, although the exchange names lingered. Our home number was Normandy 1-2345, which became 661-2345. Over time, long distance dialing (outside of the local exchange) and international direct calling, with Area codes and country codes, became the new normal. (For years, the most popular issue of the Bell Systems Journal in our college library was the one describing the paired tones used to automatically connect and route commands across the international supervisory networks. Or so I’m told.)
Today we have millions of open jobs in information security. What jobs are unattended? One client speaking at a conference last month said that when they migrated their in-house and collocated data centers to a cloud-only topology, the volume of events doubled – from one billion per day to two billion per day. No amount of hiring will mitigate that problem. Without automated event correlation and analysis, the skills problem ceases to be a crisis. It becomes a lifestyle.
Recent research shows that in the first quarter of 2019 we saw a new piece of malware every 0.3 seconds, and a unique vulnerability every 3 seconds. The total volume of patches in the first quarter of 2019 exceeded 5,100 across all patchable software products. No organization can keep up with that volume of change, even if its operations could afford the multiple configurations needed for validation and failover, and could tolerate frequent interruptions to perform the installations. There is a shortage of skilled operators who could do all the patching, but here again, the real problem isn’t staffing. Without a mechanism to deploy patches non-disruptively and automatically, the real problem only gets worse.
Some would say that while they want to be notified about vulnerabilities and attacks, they would rather not use automation to remediate the problems. Their claim is that it is too risky to allow information security software to take over a person’s job. This is true when the software permits too many false positives. With reliable ML-augmented capabilities, and a layered approach, automation can dramatically simplify the volume problem.
Yes, there is a staffing shortage. But organizations can use automation and a managed detection and response (MDR) capability to handle the volume of events. Organizations can use a cross-platform discovery and response tool (XDR) to aggregate and consolidate events dramatically, reducing the demand on people and improving the accuracy and timeliness of protection from threats. The tool should be proven, reliable, and suppress false positives. That will resolve one root cause of the information security skills shortage.
Want to learn more? Read about Trend Micro’s XDR at https://www.trendmicro.com/xdr
Let me know what you think! Provide your feedback below, or reach me @WilliamMalikTM.