Last week I posted a blog about how in a past life I had spent 30 days doing excruciating, tedious, data fusion work to piece together an answer to a basic question around how our company had done at a trade show, and how this experience is directly relevant to the life of a security analyst. I was not a marketing analyst, so this was not my day-to-day job, and I was really curious as to how much time someone who does do analysis day-in and day-out, a security analyst, spends wrangling data from multiple systems in a similar multi-database environment. So, in an admittedly completely unscientific poll of a number of current and former practitioners within Novetta (we have a lot!), as well as conversations with a number of customers, the consensus answer turned out to be “around 25%.”
Now, this answer actually greatly surprised me, because I know just how time consuming it is to completely put together the pieces of a multi-database puzzle. What came out of deeper conversations is that, except in rare circumstances, it’s just not worth the extraordinary amount of time and effort to put together the full picture. Security shops are making a risk-based decision of, “It looks like we’re ok,” based on incomplete information, then moving on to the next alert. Now, to be clear, I’m not denigrating these decisions, as risk-based decisions on limited information make sense in any time and resource constrained environment.
What also clearly came out of the conversations was the time spent working on false-positive alerts: “around 45%.” So, almost half (!) of a security team’s time and resource is spent responding to inaccurate automated alerts generated by their infrastructure. A typical, paraphrased comment from a CISO was, “It’s impossible to tune the alerts correctly: too tight, and we might miss something important, too loose, and my team is overwhelmed.” Clearly the industry has more work to do on its automation.
The net result of all of this is that ~70% of a security analyst’s time is almost completely wasted. (I don’t count data fusion work that provides an incomplete picture as truly productive.)
If only there was a product that focused on empowering security workers, not automating them …