Responding to security threats requires time, talent and money — resources that most security professionals would agree are in seemingly short supply. As discussed in the Cisco 2017 Annual Cybersecurity Report (ACR), security teams seek out strategies such as automated security solutions or cloud-based tools to overcome these resource constraints.

Effective security requires automation and the need is urgent. As uncovered in the 2017 Security Capabilities Benchmark Study (explored in-depth in the ACR), resource challenges can significantly impact an organization’s ability to investigate and remediate threats. According to benchmark study respondents, their security teams can only investigate 56 percent of the security threats they receive daily – leaving 44 percent of alerts, or nearly half, unexplored.

What’s worrisome is what’s hiding in the unchecked alerts. Do they point to low-level threats? Or are they indicating more dangerous threats that could result in a network outage or a ransomware incident? It only takes one incident to realize that 56 percent is not acceptable when your business is on the line.

As explained in the ACR, the picture got more sobering when we asked survey respondents about how they handle the threats that are investigated. Of the 56 percent of alerts they evaluate, 28 percent of those are deemed legitimate threats. Of these, only 46 percent are remediated—leaving 54 percent of legitimate alerts unresolved.

To illustrate exactly how many threats we’re talking about, if an organization detects 5,000 alerts per day:

  • 2,800 alerts are investigated, while 2,200 are not
  • Of those investigated, 784 alerts are legitimate
  • Of the legitimate alerts, only 360 are remediated, while 424 are not

If organizations leave so many alerts uninvestigated, could these potential threats undermine productivity and customer trust? As we learned from the benchmark study, organizations that suffer even minor network outages caused by threats (much less broader security breaches), must wrestle with long-term implications to the bottom line. For example, 22 percent of benchmark survey respondents told us they’d lost customers due to attacks; and 29 percent experienced a loss of revenue.

Automation can help organizations understand the threats they may not have time to study. It helps security teams maximize precious resources, and reduce the time spent on detection, investigation and remediation — so they have more time to manage previously uninvestigated threats.

Helping teams through these challenges is something we think a lot about. We build our security solutions to be open, so products integrate into a compelling architecture. We embed automated services so that customers don’t have to manage every alert or incident individually. This creates a force multiplier effect, removing the burden from teams drowning in alerts while simultaneously expediting detection and response. For example, Rapid Threat Containment can automate security responses and rapidly contain infected endpoints. And Cisco Advanced Malware Protection (AMP) sees a threat once and instantly blocks it everywhere.

This isn’t the last you’ll hear from us on this – it keeps us awake at night, too.

Download the Cisco 2017 Annual Cybersecurity Report to learn about other findings from our study and how to close the windows adversaries seek to exploit.


David Ulevitch

No Longer with Cisco