A new Bay Dynamics research report found most cybersecurity professionals do not trust the data coming from their security tools.
The report, A Day in the Life of a Cyber Security Pro, captured the challenges security professionals face every day managing millions of vulnerabilities at any given time along with incorrectly prioritized threat alerts. The study found 64 percent of threat alerts are not addressed daily; 52 percent need manual reprioritization, and 79 percent of cyber pros say patching approval process is significantly manual.
Third party research firm, Enterprise Management Associates, conducted a survey of more than 400 cybersecurity professionals working in North America-based organizations with at least 5,000 employees. Respondents came from a variety of vital industries including finance, insurance, government, healthcare, retail, infrastructure and more.
Key highlights include:
- Enterprises with more than 20,000 employees manage more than 1.3 million vulnerabilities every 30 days;
- 74 percent of respondents say they are overwhelmed by the volume of vulnerability maintenance work;
- 79 percent of respondents say their patching approval process is significantly manual;
- 64 percent of threat alerts are not addressed each day; and
- 52 percent of threat alerts are improperly prioritized by systems and must be manually reprioritized.
The report also revealed a lack of transparency about organizations’ cyber risk posture. When asked to rate the level of maturity of their vulnerability management programs, 87 percent of the respondents said they have a “very mature to moderately mature” patching process.
Thomas Jones, Federal Systems Engineer at Bay Dynamics, told Homeland Security Today, “The report speaks directly to what many federal government agencies are experiencing today. They are buried in threat alerts, with very little visibility into what is truly a risk as opposed to what is simply more noise. Many agencies have security analysis and SOC operators that are suffering from a bad case of alert fatigue. They tend to be perpetually understaffed, underfunded and manned by third party contractors who inherit partially configured tools. They manually piece together information to prioritize the threats to tackle first, which consumes the vast majority of their time, and often leads to a flood of false positives. When there’s some level of indication the agency may have been compromised, the security team usually finds out from a third party like another agency, not their security tools. It’s not that they do not have the right threat data; it’s more so that they cannot find it in the mountain of threat alerts."
“On the vulnerability side,” Jones said, “many agencies are ahead of the curve compared to other industries such as manufacturing. Often, vulnerability management teams are separate from the security team, which includes separate funding and resources. Therefore, one team is solely responsible for rolling out patches and making sure remediation takes place of identified vulnerabilities. However, the process still involves a lot of time and resources, with vulnerabilities remaining unpatched for one, two, or more months, providing ample opportunity for an attack. Another ongoing problem is dark systems, those that are producing traffic on the network, yet no one knows who owns them, what applications are on them and if vulnerabilities were patched. Those systems become a significant security risk but at the same time they don’t want to shut down mission critical applications. Thus, agencies resort to manual methods to collect the information, taking up even more time and resources.”
Jones said, “In addition to these challenges, agencies must maintain compliance with the increasing number of cybersecurity requirements all the while being underfunded and under resourced.”
“For these reasons,” he said, “federal cybersecurity professionals, are under high levels of stress. The report shows the need for agencies to prioritize their actions and investments based on mission impact, not criticality. They need a system of record that tells them which threat alerts to investigate each day based on those that, if successful, could cause the most damage to the agency due to the value of the asset under attack. They should also have an automated method to qualify threat alerts before they are sent to investigators. Application owners who govern the assets under attack should provide input into whether the unusual activity was business justified. If the response is ‘no’ then the alert should be bumped to the top of the investigative pile.”
Finally, he added, “For more efficient vulnerability management, agencies should prioritize vulnerability remediation based on those that, if exploited, cause the most damage to the agency. Their vulnerability remediation efforts must center around the asset that’s vulnerable, and how valuable that asset is to the mission.They should also automate the vulnerability process so that the most critical vulnerabilities are sent to the application owners who govern theassets at risk. Those owners should oversee remediating vulnerabilities within assets under their management.”
“Considering most respondents say they need to rely on manual methods to manage threats and vulnerabilities, it is clear there is a façade in front of security program maturity which is spread throughout the management chain,” said David Monahan, Security and Risk Management Research Director at Enterprise Management Associates. “When security professionals paint a rosier picture than reality, every role above them is falsely insulated leading to poor program decisions. That’s why transparency is essential. Everyone should have access to the same set of data at any moment in time.”
“Security professionals are overwhelmed by endless threats and vulnerabilities and are unable to decipher which ones could cause the most harm,” said Ryan Stolte, co-founder and CTO at Bay Dynamics. “They lack confidence in their security tools’ prioritization capabilities, and thus end up manually stitching together the information needed to reprioritize the most critical vulnerabilities and imminent threats. To relieve the pain, security teams need a system of record that automatically prioritizes threats and vulnerabilities based on financial impact to the organization, delivers that information to the individuals responsible for action, and provides updates of their mitigation status.”
