Are Your Deduplication Capabilities Good Enough?

Uploaded on 2024-12-05 in TECHNOLOGY--Resilience, FREE TO VIEW

For security teams, information overload is a real problem: 75% of CISOs reported to Dark Reading that they’re “overwhelmed” by the number of findings they’re receiving, with companies averaging 500+ endpoint security alerts that need investigation per week.

Even worse, not all of those findings are created equal; one report found between 20-40% of all findings are false positives, and these false alarms have slowed down the threat response at 33% of organizations, according to VikingCloud.

The current situation is so stressful that one report found half of cybersecurity professionals expect to burn themselves out within a year, and 80% expect burnout in three years or less.

This epidemic is being caused in large part by tool sprawl. As an enterprise’s tech stack grows, security teams inevitably have to add more tools to properly scan and test all of the software in use, with the majority of them using anywhere from 21-80 tools, per IDC.

By nature, some of these tools overlap with each other, surfacing the same findings and contributing to the deluge of information.

In addition, all security scanners unfortunately produce false positives—things that look like issues or vulnerabilities, but which are actually harmless. If they’re caught, a security team must manually address the issue, trading response time speed for accuracy. (81% of professionals are slowed down by manual investigations.)

If they’re not, however, then developers receive final results including false positives, which will slow down their operations, require rescanning or other rework, and ultimately damage the security-development working relationship when agility and collaboration are essentials for businesses.

Reducing the number of tools your team uses may seem like an easy solution. In fact, Gartner has found that three-quarters of organizations are working towards vendor consolidation, with efficiency the top reason for doing so. Make no mistake: consolidation can be a useful tool in simplifying your security workflow. However, consolidation for the sake of consolidation, or simply getting rid of tools just to say you’ve gotten rid of them, can leave your tech stack open to exploitation.

Instead, deduplication presents the more feasible answer. It’s a simple enough idea: reduce the total number of alerts or findings a security team has to review by removing duplicate findings. However, manual deduplication is difficult for a number of reasons.

First, humans are prone to make mistakes or miss something when dealing with repetitive data. Second, manually going through every alert is not an effective use of a security team that’s already being stretched to its limits. In addition to the high occurrence of burnout within the industry, the World Economic Forum reports that cybersecurity as an industry faces a talent gap of four million individuals.

Consequently, professionals have to do more with less, or they have to push themselves beyond their limits. 98% of security leaders surveyed by BlackFog report working beyond their contracted time average, at an average of nine extra hours per week.

However, technology can help security professionals with duplicate findings rather than acting as another new tool to integrate into the sprawl. It’s also the same kind of technology that bad actors are using to find new vulnerabilities and issue attacks.

Of course, we’re talking about artificial intelligence (AI). AI, specifically machine learning (ML), doesn’t mind dealing with and consolidating repetitive data, and it can evaluate findings far faster than a human can. It can even learn from humans to better classify alerts in the future and escalate real threats, not false positives. With advanced reasoning and logic, ML can also go beyond simple string matching to more effectively weed out duplicates. However, these same strengths also make ML a great tool for malicious purposes, since ML can also scan for vulnerabilities in software and surface them quickly to bad actors for more avenues of attack.

This issue is growing quickly, and it’s not going away. 74% of surveyed organizations reported their organizations are already feeling the impact of AI-driven cyber attacks. 89% of the same surveyed individuals believe that this problem will only continue to grow. Given that cybersecurity professionals are already under strain, decision makers have to prioritize assisting their teams in adequately combating this tsunami of threats.

Effective mitigation requires efficient evaluation of alerts. To do that, teams need to tackle the twin issues of false positives and duplicate alerts.

Since scaling headcount is difficult thanks to the global talent shortage, that means embracing new solutions that cut through the noise by intelligently automating repetitive, time-consuming work. It means embracing ML – not as a panacea for all security issues, but as a tool to be used to reduce your team’s alert fatigue and help them more effectively respond to higher-level threats and execute strategic initiatives.

Greg Anderson is CEO and creator at DefectDojo

Image: Ideogram

You Might Also Read:

How To Combat Cyber Security Burnout:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.