It's a myth that consuming and processing alerts qualifies as security. Today's technology allows better detection and prevention, rather than accepting the low bar for protection set by ingrained incident response reactions.

Steve Ryan, Founder & CEO, Trinity Cyber

August 4, 2022

4 Min Read
Cybersecurity concept art
Source: ber1a via Alamy Stock Photo

You've probably seen ads for identity protection. They're everywhere, probably because almost half of all US citizens were victims of identity theft between 2020 and 2022. Although these ads claim to protect your identity, if you listen closely, what the service provides is an alert once your identity has been — or is in the process of being — stolen.

While these alerts can be immeasurably valuable, that's a very generous interpretation of "protection." If you entrusted me with protecting your valuables, and all I could do was let you know they had been stolen, you wouldn't be happy with my performance.

This same myth of protection has become accepted in the cybersecurity industry: the myth that an alert produced every time something is believed to be malicious or suspicious qualifies as security. This low bar for protection is what enterprises and consumers have been taught to accept. It's what security professionals have been taught to work with. The entire ecosystem is designed around the idea that consuming and responding to alerts is synonymous with protection.

Rather than protecting the enterprise, these voluminous alerts are putting enterprise security at risk. Security teams are drowning in alerts and saddled with excessive false positives. They are stretched beyond capacity due to working in a highly reactive, "always on" mode. According to Deep Instinct's Voice of SecOps survey, the industry is reaching a tipping point: Nearly 90% of cybersecurity professionals polled say they are stressed in their role, while 40% believe their existing security solution stack is inadequate and nearly half (46%) of the respondents have thought about quitting the industry.

Now more than ever, we must redefine protection and lean into prevention. However, before we look ahead to how, let's quickly look at how we got here: a two-prong issue stemming from both the mindset of early cybersecurity groups and the technology available at the time.

We Must Stop Living in the Past

The ILoveYou virus hit within my first week in the National Security Incident Response Center, causing billions of dollars in damage. Back in the early 2000s, we dealt with ILoveYou like we did with any disaster. We built a response team, gathered data, worked to stop the damage, and made recommendations for the next time. This mindset was built into every Computer Emergency (or Incident) Response Team that popped up in the 2000s, from inside the Pentagon to Carnegie Mellon. A respond-to-an-event ecosystem was created.

The technologies and intelligence available then lacked the context, precision, and speed needed to get in front of these threats. Practitioners focused on what they could do: process data after an event as quickly as possible. This is where new technologies can be impactful. There was a lot of excitement when endpoint detection and response (EDR) was able to respond within minutes of an intruder entering a network. While that's a commendable response time, you wouldn't want someone inside your house poking around for minutes before you responded. On top of that, the people responsible for responding are now being buried by an avalanche of false alarms.

Many accept that false-positive detection rates of 30% to 50% are inevitable, so we train artificial intelligence to consume and attempt to make sense of those alerts for us. Cybersecurity must evolve beyond making ineffective processes faster. It's time to redefine protection and lean from response toward prevention. What if detection were accurate and fast enough to make a difference before an alert was generated?

We can give defenders the ability to see deeply into network sessions to expose the techniques that hackers employ. We can expose those techniques quickly enough to make a difference so that entire categories of attacks are stopped before they begin, and minor evasions such as changing IP addresses are no longer effective. The detection accuracy is so good that false positives are a thing of the past. It's time to develop and introduce automated preventive controls into an industry that is overly optimized for response.

True protection is no longer a myth. The technology exists today to make this a reality. With ransomware on the rise, defenders are rightly being asked to focus on resilience and recovery. The reality is that defenders will add this focus on resilience and recovery as another task or project on top of their already overwhelming days spent chasing incidents and being buried in false alarms, all while considering quitting the business. We can retrain and reskill our cyber workforce to be stewards of true protection, giving them time and space to do their jobs and make a difference. This is the future of cybersecurity — and that future begins now.

About the Author(s)

Steve Ryan

Founder & CEO, Trinity Cyber

Steve Ryan is founder and CEO of Trinity Cyber, a company redefining network threat prevention. Steve left the National Security Agency in 2016 as the Deputy Director of its Threat Operations Center after a distinguished 32-year career as a custom chip designer and cybersecurity operator. Steve was a primary architect of the NSA's NTOC, bringing together intelligence and defensive missions to identify and stop cyber threats at very large scale. He is a recipient of the Presidential Rank Award, the Exceptional Civilian Service award, and a first-place winner of the Department of Defense CIO Award.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights