For decades, security professionals have been plagued by two fundamental security challenges: maintaining legacy IT systems and alert fatigue.
Over time, legacy IT systems become attractive targets for attackers because they become increasingly difficult to maintain. It’s hard to justify replacing a system that continues to work well and perform all the functions you need it to. But as time goes by, these systems become deprecated and are superseded by modern technologies that are more efficient and effective.
This becomes problematic when you get to the point where the system is no longer supported by the vendor, so patches are no longer available, or when fewer and fewer people have the skills needed to update and maintain the system. How do you address a vulnerability or fix a problem then?
Organizations across sectors face this challenge, but in the federal government the risk of aging systems is so high that the Legacy IT Reduction Act of 2022 aims to force agencies to identify and update critical systems.
Another perennial problem is alert fatigue. Analysts are so inundated by the number of alerts received on a daily basis, that they become desensitized to them and eventually simply dismiss them without determining the severity of the threat and whether or not the alert should be escalated to incident response.
In a recent study, more than half of IT security and SOC decision makers feel their team is overwhelmed by the volume of alerts and aren’t entirely confident in their ability to prioritize and follow-up on them. The problem is so rampant and risk of cyberattacks so heightened that now 70% say their home lives are being emotionally impacted by their work managing IT threat alerts.
Time is the enemy
To deal with aging systems and alert overload you can try throwing more money and people at the problem. But procurement cycles are incredibly long—averaging from 15 months in the private sector to 22 months in the public sector, according to a recent Gartner survey. While replacing legacy solutions is the preferred course of action, it is not a quick fix.
And cybersecurity professionals are not sitting on the bench. In fact, the cyber skills talent shortage is worse than ever. Exacerbated by the pandemic, the number of unfilled jobs worldwide has grown by 26.2% over the past year to around 3.4 million according to new research by (ISC)2.
Even when you can hire, many security problems stem from the fact that a lot of the people employed in the security industry haven’t got the expertise that is necessary to do that work. Depending on what you are looking at enabling and the devices you are using, analysts may need additional scripting and programming skills, including knowledge of legacy languages like COBOL, not to mention experience to know what alerts they can safely filter out and how to continuously tune systems according. When we look at how to enable these crucial capabilities given our current state, a lot comes back to automation.
Eliminating constraints with automation
Think about the normal day for a security analyst. If we’re expecting them to handle alerts, events that have come up, and new attacks that are happening right now—that’s a lot of new information to look at and assess. How much time do they have to read dozens of RSS feeds, research blogs, industry and government reports, security vendor reports, news websites, and GitHub repositories?
Collecting and making sense of all that data becomes crucial, but there’s no way individuals can do this on their own quickly enough. Being able to automate that process so you can get to the information that you are going to use now or later and filter out the noise is essential. Obviously, automation is a fundamental capability to reduce the burden of manual review and prioritization of alerts.
But while a recent report on cybersecurity automation adoption finds that confidence in automation is rising, only 18% of respondents are applying automation to alert triage.
Now you have a system with no update but you’re running it because it is managing a crucial part of your business. You need a Plan B. Filtering threat intelligence based on your existing systems enables you to automatically receive information about relevant indicators associated with threat actors that are leveraging that vulnerability, which you can use to automatically detect and block at the network level.
You can also use automation to proactively strengthen your security posture such as automating access controls by users and roles to limit access and authorize or deprovision users.
Cybersecurity problems resulting from legacy IT and alert fatigue have been around for a long time and we’ve attempted to solve them in different ways with limited success. Now, automation has advanced to the point where it is easy for analysts to implement it based on parameters they set, tune as needed for their environments and changing conditions, and setup integrations and automate actions using low- or no-code interfaces.
Finally, security teams have breathing room to start thinking about trends and vulnerabilities attacker groups could use and if the organization is vulnerable to those, so they can develop and execute a plan to proactively mitigate risk. In many ways it’s back to basics but taking advantage of modern implementations of automation to do more with less.
Nigel Houghton is director of marketplace and ecosystem development at ThreatQuotient, a provider of cybersecurity automation products and services.
Have an Opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET Senior Managing Editor Cary O’Reilly.