“The Boy Who Cried Wolf” is one of the most memorable stories from Aesop’s Fables and a useful way to show the risks of false alarms. If someone keeps warning about an imminent threat, only for it to never materialize, then anyone who initially took the claim seriously will end up ignoring it. Once an actual problem arises, the people that were being warned will likely be unprepared. Having been unable to distinguish between credible and flimsy warnings, real danger could make its way past their defenses.
Fast-forward several thousand years, and the principles of this fable are still applicable, even in fields such as cyber security. Like the many other apps that dot our PCs, phones and tablets, security tools provide notifications when certain conditions are met or when apparently relevant content emerges. These messages may be about potential malware infections or the connection of unfamiliar devices to the network and they often arrive in large volumes, sometimes making them hard to sort through.
Moreover, cyber security alerts are just part of a larger stream of notifications. A 2014 study by Telefonica Research observed that its 15 English-speaking test subjects received a mean of more than 65 notifications per day, mostly from SMS and messaging apps like WhatsApp. Even with one-on-one chats, not everyone responded to the message right away, and emails and social media interactions received even fewer immediate responses. What does such behavior say about the future of notification-heavy cyber security?
Standalone antivirus, traditional security solutions struggle to keep up as threats and notifications multiply
Back in 2008, Raimund Genes of Trend Micro predicted that antivirus software was on the verge of a major shift. The sheer number of malware profiles in the wild was making it increasingly impractical to store a comprehensive blacklist file on every PC. Memory constraints wouldn’t be able to accommodate a signature database with tens of millions of entries. Tools would have to evolve, leading to a combination of virus protection solutions that could find and eradicate the most relevant threats.
Genes’ prediction was prescient, not just because of the decline of viable defense strategies built upon standalone antivirus, but also due to how many cyber security solutions have been overwhelmed by the number of potential threats out there. The result has been an uptick in false positives similar to the boy’s protestations from “The Boy Who Cried Wolf,” with negative impact on the budgets and attention spans of enterprise security teams:
- A recent study by the Ponemon Institute found that organizations receive an average of 17,000 security alerts per week, far beyond what teams can deal with in light of their often limited resources.
- While the overall volume is substantial, less than 20 percent were actually credible. In the end, only 4 percent were investigated.
- With so many inconsequential notifications to sort through while trying to find real threats, security teams waste time and money. About 21,000 hours are lost in these endeavors, resulting in around $1.3 million in needless expenditures.
Although the scope of the overall issue – far too many alerts – is perhaps surprising, the problem itself squares with the growing presence of notifications – from email to messaging apps – in everyday life. Having to comb through so many cyber security alerts and looking for the ones that merit a response is time-consuming and an enormous drag on productivity.
Neuroscientists at institutions like Stanford University have found that constant concern about email and other notifications drain people of energy and focus. With 17,000 alerts coming in a week, teams have an obvious problem on their hands. How can they weed-out irrelevant information and streamline their network security processes?
With malware infections also increasing, better security software is needed
“The Boy Who Cried Wolf” isn’t a perfect model for what has been going on with cyber security alerts in the last few years. In tandem with the deluge of notifications, there has also been a perceptible rise in the severity and difficulty of dealing with actual malware infections.
Sixty percent of respondents to the Ponemon study felt that malware issues had become more severe over the last year. A substantial amount of their organizations’ time is spent trying to repair the damage done by attacks and infections. Subjects reported that they sunk approximately 230 hours each week into fixing applications, networks and endpoints affected by malware. Overall, malware containment consumed 600 hours of IT time per week.
CIOs and their teams are at an important juncture, one at which the scope of cyber security issues is widening while legacy tools and personnel processes are still in place. In addition to the type of antivirus tools that were already becoming outdated in 2008, many enterprises still rely on ad hoc procedures and basic vulnerability scanning tools that are unsuited for containing sophisticated threats.
“Traditional approaches to vulnerability scanning are based on detecting basic low-level network attacks whereas today’s threats are sophisticated and varied. And testing at the application level, if it is done, is performed infrequently, allowing vulnerabilities to accumulate and risk to increase,” stated a recent Trend Micro data sheet. “The reality is that most organizations face threats that are difficult to detect and protect against, and it becomes costly and time-consuming to deal with false positives and to continuously guard against security threats.”
Dealing with notifications one-by-one simply doesn’t scale, plus malware doesn’t take nights or weekends off. Rather than ad hoc approaches to defense – which one-third of the Ponemon respondents admitted to – organizations would be better served by deep discovery solutions that continuously monitor the network and automatically scan and remove threats.
Such tools make a huge difference when dealing with problems such as new cyber attacks. Instead of patching infrastructure and/or updating an application – the tasks that took up so much time for the subjects of the Ponemon study – attacks can be quickly blocked to head off damage. In this way, teams can get on the path toward a more sustainable cyber security strategy.