Enterprises are struggling to keep up with the troves of false positives, security alerts, and amorphous security information which are hampering their ability to detect and handle persistent threats and data breaches, according to a new study.
The study titled "Data-Driven Security Reloaded" by analyst firm Enterprise Management Associates (EMA), based in Portsmouth, N.H., found that while companies' effectiveness in combatting information security threats is sliding, the copious security data collected by them is overwhelming and thus ineffective. A survey of more than 200 IT administrators and security managers found that 95% of respondents using security analytics were confident in their ability to detect security issues. However, 79% of total respondents were only "somewhat confident" in, to "highly doubtful" of, their ability to detect security threats before said threats impacted their organizations.
"The inability to filter through all these alerts is a common information problem amongst organizations," David Monahan, research director at EMA, said. He explained that the study asked about 18 different types of security technologies and ranked respondents' value statements of the products. "Security analytics and threat analytics anomaly detection solutions were tied for first place and had one of the highest value rankings."
The survey, sponsored by anomaly detection firm Prelert, Inc., also found that IT professionals and security managers are struggling to identify and separate important data from the rest of the noise. For example, 50% said too many false positives negatively impact their security readiness.
"That was the number one issue that people had with technology -- that they were getting too many false positives," Monahan said. "The inability to filter through all these alerts is a common information problem amongst organizations."
In addition 38% said too much uncorroborated data that lacks context hamper their breach detection efforts, while 12% said they simply have too many security alerts to handle.
"It's not just about being able to collect everything and just throw it all into a bucket -- it's about being able to understand and use that data," Monahan said.
In addition, Monahan pointed out that when asked if a lack of data was responsible for inadequate security, zero respondents said yes. And when asked if respondents would want to collect more data, the response was generally no. "Some data may not be as germane," he said, "but the pieces that are: we really want to have those and put those together and create that full context."
Monahan emphasized the idea that it's not about bigger data, but better data. Context and fidelity are the goals here, not indiscriminate information harboring.
Fidelity is the value of information, Monahan explained, whereas context is putting the pieces together to make the full puzzle picture. "If you have better data and better analysis," he said, "that's going to reduce the number of false positives you have; it's going to reduce the excessive or uncorroborated events; [and] it's also going to reduce the multiple alert factor."
Learn more about how SIEM systems are using security analytics to reduce false positives