18 Dec Amid AI and Machine Learning, the Human Touch Remains Crucial to Cybersecurity in 2019, New Network Security Survey Finds
Amid the fervor over artificial intelligence (AI) and machine learning, it’s easy to lose sight of just how important human involvement is in cybersecurity, a new survey finds.
We know network security is complicated and becoming increasingly complex given a multitude of reasons including sophisticated attacks, the proliferation of IT infrastructure and changes stemming from IoT, cloud adoption and BYOD, among others. So, the Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
The importance of a human touch stood out when respondents were asked where they think their security organization should focus its future efforts. On a weighted average, based on a five-point scale, the answers stacked up as follows:
- Security analytics (4.20)
- Security integration (4.12)
- Behavioral analysis (4.07)
- Collaboration (4.0)
- Machine learning / AI (3.97)
- Threat hunting (3.88)
- Signature detection (3.33)
As you can see, collaboration is fittingly positioned in the middle of tools and processes like analytics and threat hunting. Collaboration is a distinctively human characteristic and it’s interesting to see it come out ahead of machine learning and artificial intelligence (AI) as an area of focus.
(Click each image for higher resolution.)
Here is a summary of key findings from the survey:
1) Top network security challenges are insider threats and complex IT.
A majority of respondents (64%) said network security is harder this year as compared to last year. When asked about network security challenges, insider threats (44%) and the complexity of IT infrastructure (42%) topped the list. These were followed by:
- A lack of leadership support (40%);
- Security technology interoperability (37%);
- Shadow IT (31%);
- BYOD (26%);
- A deluge of security alerts (22%); and
- Too many tools (18%).
No single topic drew a majority. That fact only serves to underscore the diversity of problems facing network security which vary by industry, IT environment and perhaps organizational culture.
It’s also worth noting, in our assessment of the answers, “insider threats” are not necessarily people with malicious intent. This likely includes accidental incidents set off by well-intended users inside the network.
2) Integration of security tools is a growing problem.
Most organizations used between 1 and 10 tools for the purpose of network security. This seems reasonable given other studies put the benchmark for the overall security organization – including endpoint security for example – at between 10 and 50 tools.
The real problem the survey uncovered isn’t necessarily the number of tools the organization is using, but the lack of integration among the tools they use. About one-third of respondents said their security tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated cybersecurity tools in their environment were completely integrated.
When asked why, in an open-ended question, respondents pointed to a combination of causes including the absence of industry standards, competition among vendors, and poorly-conceived procurement choices.
We believe the problem has reached a critical mass and as a result, security integration will be increasingly mandatory among the list of requirements in the security acquisition process. Enterprises will start demanding that new cybersecurity tools adhere to open standards, open APIs and readily allow the security operations center (SOC) to share data as they deem fit.
3) The cybersecurity alert deluge struggle is real.
Most organizations get a deluge of alerts.
A little more than one-third (35%) of respondents say their organization gets 100 or fewer alerts per day, which doesn’t sound too bad, but that’s the minority. About one-quarter (26%) of respondents put that number at more than 1,000 with 10% of those seeing more than 10,000 alerts. All remaining respondents fell somewhere between 100 and 1,000 daily alerts.
These alerts require time to investigate. The vast majority (84%) say it takes five or more minutes to effectively triage an alert. This means an organization with 1,000 alerts – which is a modest example in this survey – would have to triage 12 alerts per hour, for nearly 3.5 days without pausing to get through all of these.
The problem is compounded by the fact more alerts pour in all the time and some require more time to vet properly. For example, 58% of respondents said alerts take double the investigation time – 11 or more minutes to triage. The vast majority (82%) say their organization spends too much time investigating alerts at least some of the time.
Much of this is caused by a high signal-to-noise ratio. Many alerts are false positives which overwhelm the resources security teams have at hand.
“A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are critical, but we are missing vital information, which we then spend ages trying to locate.”
Some respondents candidly admitted they simply don’t investigate every alert, which risks a sophisticated threat slipping by in plain sight. It’s clear, a better means of prioritizing and triaging alerts is needed.
4) Threat hunting is necessary and well-positioned for growth.
Threat hunting grew out of the notion that sophisticated threat actors understand how traditional detection technologies work – and evade detection. Slipping by in plain sight, amid the deluge of alerts for example.
As a result, threat hunting is becoming one of the hottest trends in cybersecurity currently. While just about one-third (32%) say they are doing threat hunting today – that figure nearly doubles when asked about the future. A majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next year or so.
These findings are generally in line with another study focused on threat hunting conducted earlier this year.
5) Solid relations with the business, but a weak relationship with DevOps.
Security seems to have a stronger relationship with the business than with DevOps. Some 34% of respondents said the relationship between cybersecurity and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between cybersecurity and the business is strong, while 22% said it isn’t.
On some level this makes sense: Cybersecurity serves the business while it often finds itself at odds with the change management processes that DevOps champions. This is because a newly-revealed exploit will exist in a production environment and the risks associated with changing the production environment are precisely why the change management process is intentionally slow and methodical.
Still, it’s surprising because conventional wisdom says both sides have similar goals and speak the same technical language – an advantage the business side does not always enjoy. Still, the pace of vulnerabilities in the modern cybersecurity landscape has thrust relationship between cybersecurity and DevOps into focus.
The Important Human Layer in Cybersecurity
This survey’s findings may well demonstrate why people come first in the triple-pronged adage of people, process and technology. Tools alone won’t defend the network, because it’s still people that use the technology, and its people that need to know how to use the tools an organization employs.
Perhaps more importantly, collaboration and relationships serve as essential cornerstones. This has long been true in business and it’s true in the business of cybersecurity too. As we turn the corner on 2019, this an important reminder that amid all the amazing innovation, people – cybersecurity professionals – remain a crucial part of a layered security posture.
This online survey was conducted from November 1, 2018, until November 30, 2018. Respondents were solicited by email distributed through two third-party trade organizations with credible cybersecurity subscribers.
Sixty-eight mostly senior respondents with more than 10 years of experience completed the survey. Respondents hailed from a wide distribution of industries. Respondents were most widely represented by technology (29%) and financial (22%) vertical markets, though many also stem from government, education, healthcare and non-profit.
A copy of the full survey results – The Top Challenges in Network Security for 2019 – are embedded nearby and are available for download in PDF format on SlideShare.
Network Visibility: Can You Analyze Encrypted Traffic for Cybersecurity Threats?