Will the Excessive False Positives Syndrome Paralyze Security?
November 24, 2014 |
1 minute read
As I meet with CISOs around the country it is striking to find out what concerns them most. While one would assume that CISOs are most worried about whether they're breached or about budget issues, in reality in all of my conversation with security leaders the most common complaint is about the amount of alerts their teams handle on a daily basis. All security leaders feel that their teams are overworked, have to handle too many alerts, most of them are false positives. I call it EFP - Excessive False Positives Syndrome, and it is the malady of today's security.
Security talent is scarce: according to Cisco's 2014 Annual Security Report, in 2014, more than one million security positions are unfilled globally. Too many alerts are a major time soak for security teams that are already overworked. According to the Ponemon Institute, incident response teams spend, on average, a month to investigate true incidents. Any time spent on investigation of false positives clearly impairs security’s efforts to shorten the response time when dealing with true incidents.
About the Author
Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.