Cyber security analysts are drowning in a rising sea of alerts. By any measure, the numbers are staggering. A survey of security analysts by Enterprise Management Associates revealed that the average enterprise Security Operations Center (SOC) encounters more than 10,000 alerts per day, while nearly 30 percent reported they receive more than 1,000,000 per day. When one considers that the same survey revealed that analysts spend up to 30 minutes in incident response (IR) triage for each alert selected for review, it’s no surprise the bad guys are winning. For security analysts, the reality is similar to a real-world Hunger Games, but with the odds clearly not in their favor.
Indeed, more than a third of the respondents say that sometimes the only way they can cope with the stress is to ignore an alert and hope for the best. Adding more fatigue to the fire, the vast majority of the alerts are eventually found to be misidentified as critical or result in false positives. It’s no wonder that nearly 80 percent of analysts say they feel overwhelmed. The situation is unsustainable – and it’s only getting worse.
The average enterprise Security Operations Center (SOC) encounters more than 10,000 alerts per day, while nearly 30 percent reported they receive more than 1,000,000 per day.
According to a joint report by Accenture and the Ponemon Institute, the cost of cyber crime has risen more than 62 percent over the past five years, with the average enterprise experiencing 130 data breaches per year. At an average cost globally to each organization of nearly $12 million annually, security leaders are under relentless pressure to stop the bleeding and improve security.
Automating and Orchestrating Cyber Security
To accomplish these goals is the reason why I founded CyberSponse in 2012. CyberSponse provides the automation and orchestration software to automate many of the manual processes involved in cyber security. It replicates many of the most common analyst tasks typically performed using a keyboard and a mouse, but at machine speeds far faster than any human capability.
The CyberSponse CyOps platform automates and orchestrates an organization’s security products so that they work seamlessly together through integrated playbooks. These playbooks pre-configure common security workflows and customize them to an organization’s own security processes. They allow analysts to accelerate informed decision making by eliminating the time-consuming tasks involved in collecting all the evidence and data needed to make those decisions.
CyberSponse achieves significant time savings by taking over the repetitive grunt work involved in reviewing every alert to determine if it’s false or positive. It accelerates mean time to detection (MTTD) and mean time to response (MTTR) by increasing the speed of threat detection and incident response (IR). And it opens the door to better analytics for tracking what the SOC determines are real threats, rather than wasting analyst time and resources reacting and responding to false alarms. CyberSponse also improves analyst morale as its automated capabilities reduce the sensory overload brought on by the volume of alerts and constant repetition of manual processes.
Powerful Integrations with Symantec
But what I feel offers one of the most powerful recommendations for CyberSponse is how it allows organizations to take maximum advantage of the full array of Symantec’s Next Generation security products. Working together, CyOPs functions like a traffic cop, an integrator that enables Symantec products to work together on an organizational level faster and more cohesively. CyberSponse also extends the benefits of Symantec security products to other, non-Symantec security products by enabling them to work just as easily together, and at that same machine speed.
Customers that take advantage of our joint offerings will benefit from having the increased visibility of a 360-degree view of their organization. They will have the capability to combine both Symantec endpoint telemetry and network activity to get a better and more precise picture of the state of their IT environment. Once a malware, living-off-the-land (LOTL), or other alert is triggered, the CyOPs platform immediately orchestrates the right Symantec products, such as Symantec EDR, Security Analytics, and Integrated Cyber Defense Exchange to enrich, correlate, and assess the incident data. CyOPs then automates the workflows for confirmation and analysis to rapidly identify the degree of threat posed. And once confirmed, it quickly performs any necessary remediation actions required. Using this approach, SecOPs teams can increase their efficiency, mitigate any skills shortages and reduce the time spent chasing too many alerts.
The bottom line is that the strategic partnership between Symantec and CyberSponse offers organizations the solution they need, that you need, to reduce MTTD and MTTR and the complexity of detecting, threat hunting, and responding to relentless and persistent cyber attacks. Our combined strengths, analytics, automation and orchestration capabilities will empower your security operations teams and put them back in control of the cyber warfare game.
I invite you to visit our two adjacent booths and experience for yourself how powerfully we work together at our joint Symantec-CyberSponse security demo in the Expo Hall at Black Hat USA 2019 in Las Vegas, August 7 & 8, 2019. I look forward to seeing you there.