The case for cyber security consolidation
The spread of cyber security threats across global economies, their continual mutation and growing diversity of attack types and vectors, places organisations and enterprises in constant peril. Security professionals must remain in permanent readiness, not only to prevent and deal with established cyber security attacks risks but to respond to new types of threat as they emerge. As a result, the job of creating, maintaining and adapting a robust cyber security infrastructure is amongst the most important tasks in today’s technology landscape. Threat after threat has been added to the cyber risks organisations face. Viruses, trojans, spyware, APTs, wateringholes, ransomware, phishing, and more. We add new security capabilities to address each new risk – so-called best-of-breed solutions. After 30 years of this, we now have a patchwork of capabilities that serve different purposes, don’t integrate, are hard to manage, constrain visibility, and are inefficient and expensive. With greater threats marshalling against stretched-thin cyber security teams, there comes a pressing need to question traditional approaches. We surveyed key cyber security decision makers to paint a picture of how they are currently resisting the onslaught of cyber attacks, and question whether there’s a better way.
In the face of a cyber threat onslaught, we surveyed IT decision-makers to discover whether a best-of-breed approach to security solutions is still tenable
Next page
Previous page
Contents
Forty percent of respondents had to deal with serious security incidents every day and 63 percent faced such events at least once per week. Meanwhile, half of respondents revealed it takes between 12 and 24 man-hours to resolve issues, while a further 15 percent take up to 48 hours to reach a conclusion. These figures imply that the cobbled-together security situation is at best inefficient (due to too many alerts), or, at worst, missing key security treats (due to teams being overwhelmed with alerts) Furthermore, it is the smallest organisations, those that likely have the least security resources, that are seemingly facing threats most frequently. Fifty-three percent of companies with just 501-1,000 employees faced daily security incidents – well above the 40 percent seen when larger organisations are included. Smaller organisations are also requiring more man-hours to investigate and resolve incidents, with only 24 percent of the smallest companies taking care of threats within an average of 12 hours. This strongly contrasts companies of over 5,000 staff, over 50 percent of which are resolving incidents within 12 hours. While a best-of-breed approach to security tools may provide total coverage, it leaves security teams stretched to their limits. Forty percent of companies are having to interrogate four to six potential different sources of security data, when dealing with a security incident, while 27 percent are having to negotiate seven to ten. On top of this, the “volume and variety of reports” is impeding incident resolution, with more than a third finding this added to existing problems.
A best-of-breed approach to cyber security solutions and the resulting hotchpotch of security tools is seemingly falling short
With most companies experiencing a serious security threat each day, and each taking 12 to 24 working hours to resolve, the maths reveals a starkly untenable reality
Security incident response
A matter of time
40 percent of respondents had to deal with serious security incidents every day, 63 percent at least once per week
Half of respondents said it took between 12 and 24 man-hours to resolve issues
70 percent are having to deal with at least 4 potential sources of security data when tackling an incident
71 percent use products from at least 6 different security vendors
77 percent of respondents agreed that the ‘volume and variety of reports’ impedes incident resolution to some extent. More than a third found this added to existing problems
35 percent say investigating false positives and negatives is the most time-consuming part of security administration
Given that all were in groups with 500-plus employees, this seems unduly risky behaviour, implying that non-specialist IT staff may be called upon at short notice to deal with security incidents. Of the 82 percent who did have a security outfit, they consisted of the following team sizes:
Charted waters
From the off, the survey findings provided surprising insight into a large minority of cyber security outliers: Eighteen percent of respondents had ‘no dedicated security team’.
These staff appear to be hard pressed, 37 percent of respondents reported serious security incidents every day (defined as an incident that ‘requires further investigation’). Half of respondents revealed that incidents take between 12 and 24 man-hours to resolve. When viewed alongside the high incident frequency and the average size of security teams, it’s clear that security teams face a constant battle. This extreme level of disturbance to the enterprise must be unproductive, raising obvious questions around whether IT leaders might consider alternative solutions.
Number of staff in security team
Let’s take a deeper look at incident investigation times. Here we have an audience breakdown of the number of man-hours required to investigate and resolve each incident.
Frequency of security incidents that requires further investigation
In summary: keeping on top of serious security incidents is a full-time job, requiring constant vigilance and adequate staff levels.
Monthly 23%
Quarterly 11%
Annually 3%
Hourly 3%
Daily 37%
Weekly 23%
When it came to what dedicated security software participants are using, leading categories included ‘endpoint security’ solutions such as anti-malware, for messaging (including email) security and for network security – which could include NGFW, IPS and VPN solutions. Meanwhile, encryption, web and application security solutions were not far behind.
Buoyancy aids or ballast?
User and Entity Behaviour Analytics (UEBA) ranked the lowest of all the dedicated security solutions listed. Given its capacity to automate the process of sifting through alerts, there’s huge scope for more companies to adopt the technology and take some of the strain off of their struggling security teams.
Areas in which organisations have dedicated security solutions
In our own report, 48 percent of respondents had dedicated security solutions aimed at DDoS prevention. In summary: respondents favour the more generic solutions for established threats, but are investing in future capabilities and targeting specific known risks.
Marc Wilczek, chief operating officer, Link11
Traditional IT security mechanisms are easily overwhelmed, and unprotected companies risk serious business disruption, loss of revenue and even fines.
For more than two-thirds of the survey sample – more than 100 respondents – the task of dealing with security incidents is made more complex by having to interrogate at least four sources of security data. This process seriously compounds the time and resources required to address the issues. For each source of security data, different protocols and technologies apply, and the skills and expertise of different staff members’ may have to be drawn upon.
Drowning in data
Sources of security data typically interrogated per security incident
Most companies and organisations are clearly hampered by the need to manually aggregate and analyse data from multiple sources in order to analyse the threats that span them.
Businesses have the information they need to analyse threats but are unable to see the wood for the trees due to this information being spread across multiple sources. There is a clear argument for a mechanism that can analyse and correlate them, with data sources able to pass information between each other.
Impact of trying to join up log data and reporting to build a complete picture of security incidents
The volume and variety of reports consistently impedes effective incident resolution – causing as well as contributing to existing problems
37.3%
The volume and variety of reports sometimes impedes incident resolution
Analysis of reports is slower than we’d like, but incident resolution is not impeded
This is not a problem for us
38.7%
16%
8%
Is your security infrastructure a risk to the business?
In the video below, Duncan Brown, Chief Security Strategist, EMEA, at Forcepoint, explains the effects of adding ever more security solutions to your technology stack (click here to watch the full Computing webinar).
In summary: the ever-widening scope of IT solutions in the workplace means that this issue will become more pressing in future. IT professionals may need to seek expert assistance to guide them and propose effective means to manage it.
Automation of security solutions – as is the case across other areas in most enterprises and organisations – has brought significant opportunities and benefits in recent years. Countering threats before an employee needs to become aware of them is a clear positive, while the time saved by automation can be used for other pressing tasks.
Automation sweet spot
Extent to which security event investigation and remediation is automated
Degree to which security processes are automated
However, for many, the abundance of false positives and false negatives that result from automation is becoming a problem in itself. It must indeed be a rare IT executive who sees no benefit for automation in their organisation, given that IT is, at its core, a form of automation. Those few respondents who don’t perceive overall advantages likely feel that the issue lies in current executions of autonomous security technology, rather than any fundamental objections to the approach – namely the task of addressing the number of false positives is currently too great.
In summary: automation is a large and growing factor in security solutions, but must be handled with care to avoid creating as many problems as it solves.
Completely
A lot
Somewhat
Not at all
30%
20%
40%
11%
14%
19%
51%
Comparing their current security capabilities with their anticipated future deployments, respondents picked “identity and access management” as their number one current technology, followed by multi-factor authentication and data loss prevention, security of the cloud, malware deception and threat intelligence. Every single option gained a response in the 20-30 percent range for “currently implementing”, showing that there is a mass of activity across public and private organisation to update their systems and fill gaps. At the extreme ends of the scale, barely any respondents ignored the merits of multi-factor authentication, spurred by EU legislation on financial services, including Strong Customer Authentication technology, with stricter rules applying from September 2019. Virtually all will adopt identity and access management technology at some time.
Time sinks
Our survey offered respondents a broad menu of eight activities, asking them to pick one or two which commanded the most time:
Security crossroads
By contrast, more than a third have no plans to pursue blockchain or distributed ledger technology, perhaps dissuaded by horror stories of Bitcoin piracy. There are mixed signals on take-up anticipated for biometric solutions: almost 30 percent plan to adopt it, the same number have no plans to do so. User and Entity Behaviour Analytics (UEBA) and heuristic solutions are both likely to rise in popularity over the coming two years.
In summary: There is a remarkably wide range of take-up of security solutions, some prompted by the promises of automation and some caused by its drawbacks.
Hover over the clock faces below to reveal the results;
18%
23%
38%
39%
56%
43%
50%
29%
21%
37%
24.7%
Firewall configuration
24%
Dealing with spam and other web security administration
33.3%
Malicious links in emails
Inappropriate websites viewed by employees
19.3%
Coordinating reporting between different solutions and vendors
26.7%
Keeping employees safe and productive
34.7%
Investigating false positives/negatives
14.7%
SIEM administration
Security from the cloud
Security of the cloud
User & Entity
Other security analytics
Heuristics
Multi-factor authentication
Data loss prevention
Identity and access
Malware deception
Biometrics
Threat intelligence
Algorithm-based security
Blockchain/distributed ledgers
Cloud access security brokers
25%
22%
28%
32%
27%
15%
13%
Using now
Currently implementing
Planning to use in the next 2 years
The security solution sector is vibrant, as enterprises and public organisations busy themselves updating their systems and securing their operations against rapidly multiplying threats. However, there is every chance that, in five years’ time, many of these solutions will be redundant or absorbed into automated systems such that they are no longer a conscious choice. IT security experts have had to be incredibly nimble and alert to the plethora of choices available. There remain too many examples of IT disasters (TSB’s catastrophic data migration in 2018 being just one) for anyone to relax. There are more frequent explicit threats from state actors to mount cyber-attacks on western targets, in retaliation for political actions such as sanctions. Nations including Russia, Iran, China and North Korea have all made such threats in recent months and appear well-equipped to carry them out. Meanwhile, independent criminal organisations and lone-wolves are increasingly capable, even against enterprise heavyweights. In consequence, the risk level in cyber security is consistently rising, meaning organisations’ infrastructures must be ever more robust, adaptable, well-resourced, and automated (but not overly so), selecting the most relevant and important solutions from an ever-growing number of options, and judging how best to combine and synthesise these technologies into an effective whole. Alternatively, end-to-end solutions are emerging as an attractive substitute to the best-of-breed approach that has dominated until now. They look well placed to combat the resource drain and complexity caused by sourcing multiple solutions and wrestling with numerous reports. Aggregated security solutions and reports, all intelligently linked on a single dashboard, is something of an ideal for hard-pressed security staff.
Conclusion: The business case for consolidation
Conclusion: The business case for consolidation [tab heading: Case for consolidation]
Beneath the macro trends and data visualisations, with their shocking implications, are the daily personal impacts of such changes. Security staff cannot be anything but over-stretched at most organisations. Day and night, regardless of public holidays and colleagues on leave, these departments are having to plug leaks and bail out water. Meanwhile, it’s often the smallest organisations that are facing the most attacks and taking the longest to combat them.
The research reveals a clear argument for an end-to-end approach to cyber security.
When security teams are struggling to keep their heads above water, they can hardly be expected to find the time to strategise effectively regarding the future of cyber security consolidation and automation. However, this kind of strategising is the only way to get ahead and break the cycle of endless threat resolution. It’s such thinking that leads to bilge pumps in place of plastic buckets. Like a military commander, a security executive will not win every skirmish, but it’s crucial that they suffer no major defeats. The direct financial costs, and, more significantly, those resulting from a damaged brand, can be catastrophic in the wake of a serious security breach. Small and large organisations alike will need to consolidate their cyber security solutions if they are to buck the trend of growing cyber security threats and increasing pressure on security staff. A war on many fronts, a war of attrition, can only mean a pyrrhic victory – at best.
Forcepoint takes an end-to-end approach to cyber security, covering everything from mission-critical end-user devices, to operational cloud defence environments, protecting systems at the same time as permitting secure connections and communications. The company offers a systems-oriented approach to insider threat detection and analytics, cloud-based user application protection, next-gen network protection, data security and systems visibility. Among Forcepoint’s main qualities is the ability to anticipate data theft, protect employees from workplace harassment and achieve contractor oversight. It is driven by an understanding of human behaviour and intent, helping to solve critical security issues and protect employees, business data and IP.
About the sponsor, Forcepoint
We asked 150 senior IT executives across multiple business and industrial sectors, both public and private, to detail their experiences and recommendations on cyber security infrastructure. They represent companies and organisations with at least 500 employees and (in 16 percent of cases) more than 10,000 staff. Crucially, 100 percent of those surveyed are involved in security decision-making at their organisation.
Appendix - The sample
[section of infographics detailing participant composition] Participant job roles [Could design as a ‘human outline’ stacking bar-chart] Industry sectors [Could design as different buildings archetypes containing relevant percentage figures (and gauges?)]
What resources each respondents’ organisations devote to cyber security infrastructure The specific areas to which they apply dedicated security solutions How far multiple reports can impede incident resolution The value of automating cyber security responses The activities and technologies into which they invest most resources
Participant job roles
Industry sectors
CIO/Chief Technology Officer/ IT Director/Overall Head of IT
IT Manager
5%
Chief Information Security Officer/ CSO/Overall head of Cybersecurity
7%
Other IT Professional
Research areas:
