Security vulnerabilities continue to reach new highs every year. In this background of rapid and incessant vulnerability discovery, many DevSec teams are experiencing alert overload. Too many organizations rely on a one-dimensional vulnerability alert system, in which every potential exploit is funneled onto the DevSec to-do dashboard. While mature organizations rely on sprawling tech stacks, the weight of these alerts are placed upon security analysts. However, analysts are fighting a losing battle, as vulnerabilities stack faster than they can be fixed. Contributing to this issue is the stubborn recurrence of false positives. However, thanks to cutting-edge solution providers, it’s now possible to reduce the false positives with Web Application Firewall.
The Breakneck Pace of Alerts
Vulnerability alerts are an ever-present part of cybersecurity. Their scope, however, has ballooned out of control. A recent survey paints a dire picture: the average number of threat intel feeds that each analyst needs to keep an eye on is 6.8. At the same time, the average team receives more than 11,000 alerts in any given day. This is reflected in the analysts’ own workday, as 70% of their time is filled with investigating and responding to these alerts. Fundamentally, this data supports the claims made by many security teams: there are simply too many alerts to process. Patch demands stack up faster than any team can hope to manage, and alert burnout is a real – and terrible – problem. It risks the oversight of a serious threat, as SOC teams suffer from constant, unrelenting threat alerts.
The danger of unrelenting vulnerability alerts goes beyond the workplace. The sad reality is that many cybersec analysts and decision-makers feel like they’re fighting a losing battle. A recent survey of over 2,300 decision makers found that 70% of them are seeing this alert overload negatively impact their home lives. Across all sizes and verticals, almost three quarters are struggling with the emotional impact of overwhelming alerts. The majority also feel that their team is overwhelmed; 55% felt confident in their team’s ability to even respond to those threats. A sizable contributor to these concerns was the fact that teams spend as much as 27% of their time working on false positives.
False Positives Waste Resources
Amongst the noise, there is no vulnerability issue quite as bad as the false positive. This still demands a manual review, but also sees no return from that workload: the organization’s security position remains just as it was before those man hours were invested. Time and energy are two of the worst wastes presented by false positives. They further erode the dedication and concerns of human employees, which already lies on unstable foundations. The cybersecurity industry has a bad habit of viewing its colleagues as merely other processes. People are often portrayed as vulnerabilities, rather than assets, and technical defenses are regularly outright prioritized over human capability. In order to plug the gap of high turnover rates, and better retain cybersecurity professionals, it’s time for organizations to recognize the strength of their teams, and ensure they have the tools required.
Time is the other huge waste presented by false positives. Particularly destructive within cloud environments – where third-party code is particularly rampant – the specifics of this industry sees each manual alert investigation take roughly 10 minutes. The first 5 minutes of this is spent manually finding the vulnerability’s context, often correlating an image from multiple data sources. This also includes asset prioritization and cross analysis: a big ask for 5 minutes of work. Thanks to the sheer quantity of alerts, even the smallest of time wastage rapidly spirals.
And that’s focusing on the vulnerability fix itself: before analysts start work on that, the thousands of tasks need to be prioritized. The majority of teams spend 20% of their time purely prioritizing alerts; undiscovered false positives create sinkholes in a team’s productivity. The ineffective prioritization process that results from false positives means that over half of respondents recently missed critical alerts – often on a weekly or even daily basis.
Facing an insurmountable tide of vulnerability alerts, often with understaffed teams, many organizations make the choice to simply turn off critical alerts. Almost 40% of companies choose this option.
Combating Alert Overload Via Next-Gen WAF
It’s clear that false positives need to be weeded out of the vulnerability list before it reaches the manual alert queue. This is where security automation can truly shine, and help security analysts start making a dent in the backlog. A next-gen Web Application Firewall (WAF) tool can greatly cut down the number of false positives. Put simply, a WAF is a tool that filters potentially malicious traffic out of your network. However, the concerns facing many WAF customers is the fact that the tool’s policies need to be minutely tweaked, in order to offer the best security possible. Sometimes, WAF policies may need to be altered so severely that they directly compromise the security of their underlying servers; otherwise, the security alerts stemming from a WAF tool can begin flooding the DevSec teams.
These WAF alerts – the type crushing your DevSec teams – are often single, one-dimensional messages. A single HTTP request, alongside its target URL, is an alert that demands the analyst to go off and find its context. A future-proof WAF solution, however, packages related alerts into clusters via a powerful analytics-driven approach. Looking at and addressing potential attacks from the point of view of complete security incidents, allows for automatic removal of false positives that may only pop up in an isolated user session.
With an analytics-driven security solution, the WAF becomes part of a broader false positive reduction system. By feeding flagged false positives into a machine learning algorithm, it becomes possible to mark the statistical likelihood of an alert being false.
Cybersecurity’s next great evolution is the complete removal of false positives: a forward-thinking cybersecurity strategy will see the benefits of false alert reduction. This way, an organization can protect its customers and end-users from the threats of ever-evolving cyberattacks, while defending its hard-working staff from the constant threat of alert burnout.