Cybereason Blog | Cybersecurity News and Analysis

Security's dual hiring challenges impede companies in the fight against APTs

Written by Lital Asher-Dotan | Jan 28, 2016 10:14:00 PM

The security industry faces two staffing shortages that hinder an organization’s ability to combat advanced persistent threats (APTs).

To start, there’s a lack of skilled security professionals, a well-known issue and that has been documented by various industry groups, including ISACA, which found that 86% of companies can’t find the right talent.

Making the hiring situation even more dire, security workers are coveted by every business. If these employees aren’t getting hired by hot technology companies like Facebook, Apple and Tesla, they’re being recruited by security vendors. There aren’t enough people to meet the demand.

Companies with adequate security personnel levels aren’t immune to these hiring challenges. The average security worker stays with an organization for approximately four years while the length of employment for those in more senior positions is even shorter.

And, of course, when employees leave they take a slew of institutional knowledge with them, forcing companies to essentially rebuild their security programs and leaving them vulnerable to attacks.

Analysts outflanked by well-funded, sophisticated attackers

And those attacks are growing increasingly sophisticated. To evade detection, adversaries are forgoing traditional vectors like malware and RATs and turning to more sophisticated methods like fileless malware and using a company's administrative tools and infrastructure against the organization.

In other cases, deep-pocketed nation-states and organized crime groups are providing substantial funding to hackers for hire, giving them the capital they need to hone their techniques. We saw this first hand after analyzing the Hacking Team data dump and reverse engineering the RCS (Remote Control System) platform where persistence and data gathering capabilities were released as customer facing services with 24/7 customer support.

Meanwhile, most companies lack the budgets to employ a squad of security analysts. With the odds stacked in favor of those conducting the offensive operation, the defenders are almost certain to lose.

In other words, security professionals are being overpowered and outmaneuvered by adversaries. Simply put, there are too many well-funded hackers who have a variety of sophisticated attack methods at their disposal.

Won’t big data and data science level the playing field?

The security industry also struggles with finding big-data talent and data scientists with relevant cyber-defense experience. To fight advanced threats, organizations must assume their network has already been infiltrated and proactively hunt the attackers. This method requires collecting massive amounts of data and analyzing it, hoping to discover abnormal behaviors that indicate a cyber attack. To carry out this approach, businesses are seeking security analysts with some type of data science background - a very rare combination of skills, producing negligible hiring results at best.

And nearly every business is hoping to profit from big data, creating a nearly insatiable need for people who can glean insights from the reams of data businesses have amassed.

Even if companies could assemble a team of talented security experts with data analysis skills, they would be overwhelmed by the task ahead of them. To discover APTs, analysts have to ask millions of questions about suspect activity, like is an IP address malicious or has a domain administrator’s credentials been reused to gain access to a high-value asset, in a matter of seconds. And they would have to run these queries not just on one computer but all the machines at a company. Finally, they would need collect the answers, analyze this data, apply threat intel, apply context and assemble these details into a full attack picture.

In reality, security analysts already have a daunting job. They receive hundreds or thousands of alerts every day and don’t have the time to investigate each one. An analyst spends an average of one hour investigating a threat, meaning they don’t look into a majority of the alerts. Analysts are inundated with information and face a huge workload, perhaps partially explaining why the average breach takes 220 days to detect, according to the 2015 Verizon Data Breach Investigations Report.

Companies are left struggling to find security analysts with data science knowledge while those organizations that manage to hire someone with this background are subjecting them to a task that’s overwhelmingly complex.

Companies can overcome security’s hiring challenges with automated hunting.

Advancements in technology can help solve these hiring challenge. Automated hunting, for example, supplements a company’s existing security team, sparing an enterprise from engaging in the war for security talent. This technology essentially supercharges analysts, providing less experienced employees with the information they need to understand the multiple steps taken by a threat and deter impact.

Automated hunting works by collecting large volumes of data from an enterprise’s complete IT environment and applying data science techniques, like machine learning, to detect malicious activity in the form of detection modules. These methods work best when data is collected in real time, giving companies an accurate and timely representation of their IT environment while providing analysts with a complete attack picture and advice on how to shut down the threat.