Select Page

Mar 23, 2022

Too Much of a Good Thing: The Problem with Data in Cybersecurity

by

Previously, in our XDR whitepaper chapter series, we discussed how XDR is a cyber-resilient solution that can adapt to the rapidly changing threat landscape. In part 3 of this series, we’ll be looking at how the oversaturation of data has led to more problems, rather than fixes. In order to help sort and make sense of this data into actionable items, the ability of an XDR to see, understand, and act is critical.

More Data, More Problems

If knowledge is power, than data is king. Virtually all decisions made on organizational scale are driven to at least some extent by data. We need them to drive our statistical models, to test hypotheses, and to break new ground in innovation. However, data on its own can be an unwieldy weapon.

Data, the lifeblood of the network and, by extension, cybersecurity, feeds into the various security solutions, threat intelligence, and SIEMs that ultimately generate the reports and recommendations on which analysts depend. Counterintuitively, security teams have a bigger problem dealing with too much data than too little for several reasons:

  • Too many false positives
  • Analysis paralysis
  • Lack of skilled cybersecurity professionals
Too many false positives

The false positives of traditional detection and response (D&R) solutions overwhelm security teams. These traditional methods do not separate the noise from the useful data and do not discern between priority alerts and alerts that are incidental, due in large part to the low fidelity of the data gathered by SIEM and centralized log management (CLM). The situation has kept security teams on the back foot, reactively responding to threats rather than proactively preventing them. Ideally, security alerts should efficiently point security teams toward preventive or remedial actions.

Analysis paralysis

Security teams are stuck analyzing benign and nonconsequential alerts, impeding their ability to act on alerts that pose actual threats. In a survey conducted by Frost & Sullivan in June 2021, 70% of surveyed organizations with more than 500 employees in the United States and Singapore had mean times to detect of more than a week. In the same survey, 90% of respondents had mean times to respond of more than a day.

Considering how some of the most damaging attacks that target organizations, such as privilege misuse and system intrusion, take the longest time to find,[1] damage can accumulate quickly.

Lack of cybersecurity professionals

The severe lack of available cybersecurity is the most glaring problem that every organization faces today, and it is a longstanding problem[2] that has significantly affected the cybermaturity of organizations as a whole.

Even with the best data available, organizations will struggle to stay ahead of threats without enough people to perform the tasks needed to run an effective security operations center. Consequently, analysts wear many hats and can become overwhelmed and ineffective. Security leaders have been finding ways to solve the data problem. In fact, according to Frost & Sullivan’s survey, 43% of respondents said that the primary purpose of their plans to deploy XDR is to better deal with increasing volumes of data. Extended Detection and Response, or XDR is a relatively nascent cybersecurity solution that takes the capabilities of SIEM and turns it up a notch.

XDR can address data paralysis

The pillars of XDR are cross-layered D&R, AI-enabled analytics, and automation. Gathering data from across the IT and OT environments, normalizing it, and then performing correlation fulfills these functions. The security posture and threat environment are then combined. The quality of the derived insights is enhanced by the application of analytics. Overall noise is reduced, and insights are immediately actionable. Human input on repetitive tasks is then eliminated by leveraging automation, giving security teams the bandwidth to work on higher-order tasks and mitigate one of the most serious security liabilities.

Is XDR suitable for your organization?

XDR should be leveraged in conjunction with an appropriate cybersecurity strategy and a proper set of existing tools to maximize its utility. Organizations thinking of tapping into its strengths should first audit its security posture and determine if it would benefit from better data management and analysis. Furthermore, the few vendors that currently provide XDR to the market have slightly different ways of doing it. In the case of Hillstone Networks, a leading vendor in the network security management space, the company has built upon its considerable experience to deliver highly contextualized insights and thorough visibility through its highly integrable and comprehensive XDR platform.

To learn more about how analysis paralysis and alert fatigue have bolstered the adoption rate of the XDR solution, get access to the full whitepaper here.

 

[1] 2021 Data Breach Investigation Report, Verizon, 2021.

[2] Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment, ISSA, 2021.