Enterprises and their Security Operations Centers (SOCs) are under siege. Security events are being triggered from all corners of the security stack – from the firewall, endpoints, and servers, from intrusion detection systems and other security solutions.
What’s more is that security teams do not have enough people or hours in a day to analyze the alerts that are coming in, and most “security events” don’t even imply an attack in progress. They often are simply sharing information (failed connections, for example) or are what we call “false positives” (when a solution thinks it has found a specific vulnerability, but in fact, it hasn’t.)
This is important because today, attackers use stealthy tactics that leverage these security challenges – after infecting an asset inside an organization, they keep a low profile, moving laterally in the hunt for valuable, sensitive data. The longer they stay in the network, the harder it becomes to detect their trail. The average “dwell time” – how long an attacker or malicious insider is inside an organization’s network – is measured in months, with some estimates in the 200+ day range.
Read more at TNW