Significant false positives are a main cause of delayed detection and response
A primary reason breaches aren’t detected sooner is the sheer volume of security alerts that overwhelms security professionals. A global Cisco survey showed that 17% of organizations receive at least 100,000 or more daily alerts in 2020, compared to 11% in 2017. This led to roughly half of real threats being ignored.2
Security information and event management (SIEM) software is designed to help analysts by providing real-time monitoring of threats. But it’s estimated that analysts spend roughly one quarter of their time looking into false positives (mislabeled alerts that aren’t actually threats) generated from these tools.6 A 2019 survey of cybersecurity professionals found it takes more than 10 minutes to investigate each alert, with roughly half eventually found to be false positives.7 As a result, analysts spend most of their time managing alerts rather than containing or remediating threats. More and more SIEM providers are incorporating AI technologies to help reduce false positives.
Intelligent automation becomes essential for rapid detection and response
As the volume of threats rises, more organizations are combining automation with AI to detect and respond to attacks more efficiently. Organizations without security automation suffered almost double the costs from a breach than organizations with fully deployed automation in 2019.5 And 75% of security professionals surveyed in 2019 said automation is highly valuable to achieving cyber resilience.8
AI tools can be programmed to block threats automatically or outmaneuver them by sending false signals as they gather information. When a new type of malware appears, AI tools compare it to previous forms in their databases and decide if it should be automatically blocked. Machine learning can evolve to recognize ransomware before it encrypts data and can determine whether a website navigates to a malicious domain.
The most effective type of threat detection incorporates both AI and humans. Organizations using AI say they’ve reduced the time taken to detect threats and breaches by 12%.9 AI can also improve user authentication and password protection.
Using SOAR to manage alerts and improve response
Many organizations are now turning to security orchestration, automation and response (SOAR), technologies that use data from SIEM and other security systems to standardize and shorten incident response processes. SOAR combines orchestration, automation, threat intelligence, and human and machine learning to detect and contain threats.
SOAR analyzes each security incident and decides whether to act automatically or request human intervention. For example, SOAR can isolate or shut down a system instantly if malicious activity is detected. It also can slow the spread of malware by automating actions like forensic data gathering and running vulnerability scans. Automated orchestrated incident response saves an average of US$1.5 million in data breach costs, according to IBM.10
Outsourcing threat detection and incident response
Small to midsize organizations may be unable to invest in the technology or human resources needed to quickly detect and respond to security incidents. Small businesses, public sector agencies and health care providers have been increasingly targeted by cybercriminals who are finding greater success with soft, data-rich targets.
At minimum, all organizations should be vigilant about installing and continually updating antivirus and anti-malware programs. Having a sufficient number of well-trained security professionals is also critical for quickly detecting threats and preventing unauthorized access.
Many organizations are finding outsourcing security to be their best solution, but care must be taken to choose a reliable vendor. Roughly one-third of organizations surveyed by Cisco in 2020 outsourced incident response services, with more than half citing “more timely response to incidents” as the main reason why.2
Managed detection response (MDR) is becoming an increasingly popular option, especially for smaller organizations. MDR is a service that detects malware and malicious activity, and assists organizations in responding rapidly to eliminate those threats. MDR typically combines technology with outsourced analysts. Gartner predicts that by 2024, a quarter of organizations will be using MDR services, up from just 5% in 2019.11