As I meet with CISOs around the country it is striking to find out what concerns them most. While one would assume that CISOs are most worried about whether they're breached or about budget issues, in reality in all of my conversation with security leaders the most common complaint is about the amount of alerts their teams handle on a daily basis. All security leaders feel that their teams are overworked, have to handle too many alerts, most of them are false positives. I call it EFP - Excessive False Positives Syndrome, and it is the malady of today's security.
Security talent is scarce: according to Cisco's 2014 Annual Security Report, in 2014, more than one million security positions are unfilled globally. Too many alerts are a major time soak for security teams that are already overworked. According to the Ponemon Institute, incident response teams spend, on average, a month to investigate true incidents. Any time spent on investigation of false positives clearly impairs security’s efforts to shorten the response time when dealing with true incidents.