Lack of experts in cyber securityPOSTED BY MARKUS AUER
Platforms can help increase effectiveness and efficiency
The Internet and digital change are advancing continuously and the associated expansion of IT infrastructures is proving to be an important factor in the profitability of companies. However, this development is also accompanied by a number of challenges, most importantly the need to protect their own constantly growing IT infrastructures. Many companies are now even prepared to invest the necessary money in IT security technologies. But even the most expensive technology is not sufficient if there is no one who can operate it properly. This is exactly the problem that organizations of all kinds have to deal with.
Threats are increasing, but there is a lack of qualified security personnel
It is no secret that organizations are increasingly lacking cyber security experts. This applies not only to large companies, but also to government agencies, which are facing increasing threats. Public authorities in particular are at a disadvantage, because the free economy seems to be more attractive for specialists. 700 vacancies in federal ministries alone were unfilled at the beginning of February 2020. The current report on the protection of the constitution warns of the influence of hackers and their attack campaigns. Recently, non-state actors have also been increasingly targeting public institutions. Particularly in the health sector, devastating cyber attacks have recently been observed. Last year alone there were attacks on hospitals of the German Red Cross in Saarland and Rhineland-Palatinate, on the Fürth Clinic and various other.
Given the increasing number and intensity of attacks and malware, the lack of qualified cyber security personnel is a cause for concern. Public authorities and businesses alike are at risk of significant economic damage and loss of image. In addition to the risks mentioned above, cyber attacks on public authorities can also cause the loss of services to citizens and the theft of their data.
The figures speak for themselves
Studies by Enterprise Management Associates (EMA) and Demisto show a worrisome statistic:
- Security teams are bombarded with an average of 174,000 alerts per week, of which only 12,000 can be processed per week. (Demisto)
- The average time to process an incident is 4.35 days. (Demisto)
- 54 percent of the security experts surveyed feel compelled to ignore important alerts because there are not enough personnel or lack of knowledge to track them. (EMA)
- On average, analysts take more than 30 minutes to process a critical alert, with most of that time being used to identify that the alert was mistakenly classified as critical (46 percent), the priority was set incorrectly (52 percent), or it was a false positive (31 percent). (EMA)
Increase effectiveness and efficiency through integrated threat intelligence platforms
Since neither the number of available people nor the required skills can be increased overnight, companies must increase the performance of existing resources. Threat Intelligence Platforms (TIP) help security teams automate time-consuming tasks and provide SOCs, analysts or incident responders with the right data at the right time to make quick decisions and take targeted action. Modern TIPs go far beyond traditional threat data management. Rather, they help security teams accelerate workflows and processes, acting as security operations platforms. The following steps help to significantly reduce the time required for detection (Mean-Time-To-Detect) and reaction (Mean-Time-To-Respond):
- Reduction of data silos
Security teams have long suffered from the “Big Data” problem. Many tools generate a lot of data, but most of the time they don’t collect it in one place. When analyzing an incident, teams often have difficulty accessing the right data quickly. A central threat database or “Threat Library”, in which all threat information from internal and external sources (Threat Data Feeds) is automatically collected and stored, allows quick access to all the data needed.
- Enrichment of data with context
Context is particularly important for “alert triage”, i.e. the examination of the criticality of an alert. An IP address classified as malicious is a major challenge for an analyst without further information. TIPs help to automatically enrich data with context. The harmfulness of the IP address is either confirmed or denied, false positives are detected much faster.
- Prioritisation of threat data
Data enriched with context can be prioritized. A scoring system highlights data critical to your business, reduces noise and helps analysts and incident responders focus on relevant threats.
- Suggestions for solutions
Besides the analysis of an incident, the decision which action to take is one of the most difficult tasks. This usually requires deep knowledge and experience, which is often not available. TIPs help Incident Responders to take the right action by suggesting solutions, which are imported e.g. using data from the MITRE ATT&CK Framework.
Basically, one of the most important measures to increase the effectiveness and efficiency of security teams is to improve cooperation. People have different tasks and need different data. In addition, it often happens that several people are needed at the same time to analyze an incident. It is essential that all persons involved can quickly gain an overview and access common data. Modern TIPs and Security Operations Platforms can serve as a basis for collaboration, visualizing data and displaying dependencies graphically. A virtual “War Room” serves here as a central place to make joint decisions.
Security within companies stands and falls with the qualified IT security specialists who operate them and ensure that all relevant processes run safely and smoothly. Although there are still not enough specialists to fill all vacant positions in IT security departments, there are ways and means to counteract the lack of experts. Threat Intelligence Platforms ensure seamless integration of security-related processes as well as ways to quickly and automatically collect and distribute information on attacks and threats. Despite technology, both companies and government organizations depend on experts in cyber security. The “human factor” will be the most important factor in the fight against cyber attacks, along with all technical tools. These resources must be expanded and strengthened in the future.