Cyber Threats
Tool sprawl undermines threat detection
If you can’t work from a single version of the truth, prioritising threat alerts effectively is going to be near-impossible.
Save to Folio
by Simon Walsh
IT security teams have always been on the back foot against agile and determined adversaries. But the concern among CISOs is that the pendulum has swung even further away from them over the past couple of years. Trend Micro alone blocked nearly 63 billion threats last year. This puts tremendous pressure on the security operations (SecOps) analysts tasked with detection and response. And as a new study from Trend Micro reveals, they’re reaching breaking point.
A major part of the problem appears to be a historic over-investment in monitoring tools. If you can’t work from a single version of the truth, prioritising threat alerts effectively is going to be near-impossible.
Welcome to the SOC era
Some 85% of the 2,303 IT security decision makers globally we polled now boast a Security Operations Centre (SOC). On the face of it, this is a good thing. SOCs are designed to centralise SecOps skills in a dedicated function built to monitor for, detect and respond to serious cyber-threats. Given the global nature of these attacks, SOCs should offer round-the-clock protection—although only around half (45%) of respondents said they current do so. But that aside, SOCs should deliver a more rapid and effective threat detection and response function to minimise cyber-risk and business impact.
They are much needed. Today’s threat actors have all the tools, services and stolen data they need to impersonate employees, move laterally across corporate networks undetected and deploy ransomware/steal data to devastating effect. A government survey from March found that around two-thirds of medium (65%) and large (64%) UK businesses suffered a security breach or serious attack over the preceding 12 months.
Why tool sprawl matters
However, SOCs and SecOps teams more generally are only as good as the tools they’re using to monitor and prioritise alerts. Today’s organisations have a large number of security products in place across networks, email, endpoints, servers and cloud workloads. This may have been the result of corporate acquisitions over the years, or even the consequence of extravagant vendor marketing claims that specific solutions were essential to stopping the latest threats.
Whatever the reason, we found that globally, SOCs are running 30 separate security monitoring tools today, all spitting out mountains of alerts on a daily basis. The number is only slightly lower (28) in the UK. With so many point solutions and no coherent picture of threats, SOC teams are struggling to spot genuine signals amidst all the noise.
The result? Some 70% told us their SecOps teams feel emotionally overwhelmed by their work. Tool sprawl means alert overload, which in turn means stressed out and ineffective security analysts.
A new vision
This is where technology can help. CISOs must look to consolidate their security monitoring capabilities onto fewer tools, and find a more efficient way to correlate and interpret alerts. One such platform is Trend Micro Vision One. It’s designed to analyse and prioritise threat alerts across emails, servers, cloud workloads and networks, so that SecOps teams know which to focus on for a faster, more effective response.
In so doing, security leaders can minimise cyber-risk to the organisation and enhance the wellbeing of their SecOps teams. And happier staff are more productive staff.