Diagnostic fatigue is causing havoc on cyber efficiency
We can all agree that the effective detection and diagnosis of security threats is a fundamental component of cyber resilience. After all, you cannot protect yourself against what you can’t see, right? With organizations rapidly bolstering their security programs and allocating significant investments to advanced technologies to increase visibility into threats and exposures, many have made notable strides in their ability to expedite the detection of abnormal behavior within their environments. However, this hasn’t come without a cost.
Monitoring and threat analysis capabilities are deployed widely across most modern organization's technical infrastructure. Everything ranging from firewalls to email filtering and credential scanning. And the laundry list is proliferating as attackers leverage other weaknesses to spy on and steal data. This is where we begin to encounter challenges. Wading through these alerts, diagnostic analysis and remediation insights has caused a great deal of strain on cyber efficiency and security teams.
According to IBM research, organizations utilizing more than 50 security tools are finding it more challenging to detect threats and exposures, as security teams try to correlate findings across multiple systems.
To add to this complexity, most exposures uncovered by monitoring tools do not present as much risk as one might perceive. Our research revealed that the typical organization has over 11,000 exposures in a given month, 20x more in larger organizations, however 75 percent of these exposures lead to dead ends and do not leave any critical assets at risk. The common security maxim of needing to see 'more' or 'everything', in most scenarios, only causes more diagnostic fatigue and often leads to failed resolution of imminent risks.
In this environment, it comes as no surprise that many security professionals are experiencing burnout. 66 percent of security analysts claim to have experienced burnout in 2022, according to research from Promon. 51 percent also reported working more than four hours per week over their contracted hours.
Today, addressing each and every alert is implausible and heavily impairs efficiency. It calls into question what we as an industry can do better to help streamline efforts to avoid diagnostic fatigue and the strain on security teams.
Fix What Matters Most First
While this may seem somewhat obvious, in an industry where professionals are tasked with protecting the data of millions, many try to address every potential security threat and in turn resolve nothing. Improving efficiency begins with identifying the highest threats which pertain to your organization and focusing efforts on achieving quick security gains -- improvements in security posture which require relatively minimal resources and have a high return on investment. Attackers typically brave a series of steps to reach assets, breaching defenses and leveraging a combination of exposures for lateral movement, such as overly permissive identities, infrastructure misconfigurations, or unpatched vulnerabilities.
By identifying where these attack paths commonly converge, teams can understand which issues pose the greatest risk to their critical assets. Eliminating and neutralizing risks at these junctions or ‘choke points’, where multiple attack paths traverse through prior to reaching a critical asset can make multiple exposures irrelevant in one decisive course of action, creating ultra-efficient exposure remediation. Directing resources to fix issues at specific, high traffic attack path junctions represents a whole new way of working, enabling teams to quickly reduce overall risk and lower the number of active attack paths available to potential attackers.
Align Security and Non-Security Teams
Synergizing non-security and security teams is the second piece of the puzzle. The fractious nature of the IT-security remediation rivalry and lack of efficiency most often comes down to priorities. Non-security teams prioritize stability and availability, making security a priority only if it affects these holy grails. Universally, security teams must become better at mobilizing other teams and justifying their remediation efforts by effectively conveying the risk and potential business impact of requested fixes.
Essentially, creating and implementing a common language of risk into their security processes and workflows which provides other teams with the context (and purpose) required to seamlessly rectify the most imminent risks. Security teams should work to help non-security teams understand how exposures can assemble and combine on attack paths to showcase risk and level of urgency for fixes. Demonstrating the risk reduction effectiveness of fixes can also help synergize teams and secure higher buy-in and enthusiasm from developers and IT teams. Work to define processes that facilitate collaboration such as mutually recognized remediation KPIs and implement limits that ensure all teams involved can manage their workloads.
Efficiency deficits and trudging through endless security clatter will continue if we remain fixated on analyzing and fixing every highlighted discrepancy. With resource constraints at an all-time high, organizations must instead work to identify which exposures pertain the most risk to the organization and its critical assets and work to migrate these first to silo attack paths. Collaborative unions between security and non-security teams, created through joint workflows and metrics, will also streamline the remediation of exposures and dwindle the volume of active exposures.
Sharron Malaver is Vice President, Marketing at XM Cyber.