A full 80% of organizations receiving 500 or more severe/critical alerts per day currently investigate fewer than 1% of them.
According to research from EMA, it’s mainly a resource issue: Not only do 68% of organizations suffer from some sort of staffing impact to their security teams, but larger organizations are collecting gigabytes to terabytes of data each day. It is impossible for organizations to hire enough people to create adequate context for the data—and thus provide high-fidelity security information.
A full 88% of the respondents had just one to three people investigating and triaging security events per day. Seven per cent (7%) of the manufacturing respondents had 10 or more working events per day. Ninety-two percent (92%) of organizations were receiving up to 500 events per day, and 88% percent of respondents said they were receiving up to 500 severe/critical alerts per day.
“This indicates that most of the tickets organizations receive are being classified as severe/critical, which is a common problem created and exacerbated by a lack of context to properly prioritize the events,” the report noted.
Sadly, 60% of the organizations that received between 500 and 999 severe/critical alerts per day only had three to five FTEs working those events. To make matters worse, 67% of organizations were only able to investigate 10 or fewer of their severe/critical events per day, and 88% of the participants indicated their teams were only able to investigate 25 or fewer severe/critical events per day.
The adoption of tools that automate data capture can help with the issue. These also increase the level of high-fidelity security information available to IT teams, greatly minimizing the risk of security breaches and the subsequent damage to targeted companies. But the report points out that some companies simply have a false bravado, thinking that they don’t need that type of tool.
The opposite is actually typically true.
"Some companies turn a blind eye to network segments by not having their monitoring systems turned on or even installed, while others have log detail and collection settings that may not be high enough to provide sufficient detail,” said David Monahan, research director for Security and Risk Management at EMA. “The data tells us they prefer to believe that they are protected, when in truth they are not. This phenomenon was common across various industry verticals and organization sizes, and was termed the 'bravado factor.'"
This is translating into a lack of adoption of advanced data tools. The report found that only 36% of organizations are using deep packet inspection (DPI), and only 42% of organizations are using netflow. This is even lower in key industries like healthcare/medical/pharma, where only 27% and 36% of organizations were using NetFlow and DPI, respectively.
Interestingly, when looking at the usage by organization size midmarket, organizations indicated a much higher use (58%/45% respectively) than either SMBs (28%/28%) and enterprises, (33%/38% respectively).
Incident response (IR) followed the same trend. A majority (92%) of respondents indicated their IR programs for endpoint incidents were “competent” or better, and 90% indicated the same for their network security.
Of all respondents, only those in retail organizations rated incident response as crucial to their program. And still, only 11% of retail respondents rated it as such.
In the end, detailed analysis showed that in aggregate, 80% of the organizations receiving 500 or more severe/critical alerts per day were only able to investigate 11 to 25 of those events per day, leaving them with what EMA characterized as “a huge, and frankly insurmountable, daily gap.”
“Either due to a lack of tools to collect data or a lack of tools with the ability to analyze data, this issue is created by a lack of high-fidelity security information. This issue is broad, affecting organizations of all sizes,” the report concluded.
Photo © Olivier Le Moal