For far too long now, security teams have fixated on accumulating tools that aim to help them obtain a new line of vision. But they never see the entire picture, especially when it comes to cloud visibility.
As a result, security teams grow overwhelmed by an onslaught of incidents and issues. Nearly half of companies have experienced a cloud-based data breach or failed audit in 2022, up from 40% in 2021. Cloud misconfigurations have emerged as a particularly troublesome development, with one in six organizations indicating that these misconfigurations have caused a breach or incident over the past year. These breaches cost enterprises $3.18 trillion a year, with 21.2 billion records exposed. The actual numbers may be much higher, as up to 99% of all misconfigurations in the public cloud go unreported.
Companies are also failing to fix the misconfigurations in a timely manner, with small and medium-sized businesses taking 75 days on average to resolve them after they’re discovered, and larger enterprises taking 88 days to do so.
Then, there are “alert overload” issues — teams encounter more than 500 alerts every day, and 38% deal with more than 1,000 per day. For 81% of these teams, false positives account for no less than one-fifth of the alerts.
What’s more, the majority of teams spend at least 20% of their time deciding which alerts to focus on first. Fifty-five percent say they miss critical alerts weekly or even daily due to ineffective prioritization. It should come as no surprise then that team members are experiencing significant burnout, with two-thirds of IT professionals indicating that alert fatigue directly contributes to turnover.
As indicated, a lack of tools is not the issue. These understaffed teams have an abundance of tools. But each one points a light to a different space and none of them are providing enough visibility to tell the whole story about existing vulnerabilities and threats, especially in the cloud. An overabundance of cybersecurity tools can lead to alert fatigue in IT teams. A “red alert” may not have any substantial impact potential. It just adds to the noise. It’s difficult to distinguish what matters from that which does not.
What’s more, attackers are only getting smarter about what they need to look at first. It’s obvious to them as to where the most appealing targets/vulnerabilities are — the low-hanging fruit that they can get to easily and that offers lucrative payoff. This is where the need for an attacker’s perspective enters the equation — a perspective that can extend visibility to everything falling through the fish net of patched-together tools.
Security teams must see their cyber ecosystem as their adversaries do. They have to take a holistic view of what the attackers are looking at when they’re about to strike at a targeted exposure and fix the issue as soon as possible.
Here are three best practices to get to develop a cyberattacker’s perspective:
Conduct continuous discovery to build the most complete internet and cloud exposure inventory.
Business never slows down. There’s only one mode — scale. Transformation never stops and cloud platforms must support these constant shifts, with security risk management staying in lockstep to protect it all.
Establish actionable context to proactively defend against the most critical exposures.
Alert fatigue is real, and it negatively impacts incident response time. Security teams must see their entire ecosystem as their adversaries do. But to get a real read, they need information aggregation parameters that prioritize the data points, metrics and other pieces of information that can paint the most complete picture for teams to take necessary, quicker actions.
Consolidate meaningful insights into one source to simplify communications.
To work efficiently and enable more effective collaboration, teams need to consolidate their threat information. Since security programs differ in goals and communication styles, this process allows teams to make accurate decisions without using multiple data sources, ultimately saving time and resources to prioritize other business activities.
Organizations can no longer afford to ignore the fact that two increasingly onerous trends — the proliferation of disparate tools and alert overload — are taking a serious toll from a human and security perspective. So instead of continuing to sprint on this self-defeating treadmill, it’s time to take a step back and develop a more cohesive, comprehensive strategy.
In committing to continuous discovery, actionable context and one source activity tracking, teams will gain a greater awareness about which threats pose the most significant risks so they know which ones to respond to first. That’s when they will successfully acquire the attacker’s perspective — putting themselves in the very same rooms with these criminals, so they can remove them from their cyber ecosystem for good.