During a talk at the NullCon conference in Goa, India, a researcher from NCC Group shared troubling statistics regarding the current vulnerability scanner landscape.
Using an automated scanner, they targeted 100 of their customer’s assets, which turned up over 900,000 vulnerabilities with a false positive rate of 89% to 50% depending on the industry.
This means that at best 450,000 vulnerabilities had to be manually discarded by security experts, while they still had to take time to confirm the rest of them.
By using an estimated average industry salary of US$75,000 for those security professionals, it represents up to US$16,000 (per company) in time expenditure to filter through the noise. This does not take into account how alienating this kind of task really is.
Following this study, researchers also (rightfully) mentioned that such automated scanners are still very useful: they allow security coverage of your systems between expensive penetration tests, giving you a somewhat continuous visibility on the security issues of your infrastructure.
But the important unanswered question is: for how long can a 50% false positive rate be sustainable?
There are two compounding factors that need not to be forgotten in order to see why this false positive ratio is certainly not viable in the long term:
First, there’s a constant lack of resources in the security industry, recent studies promoted by ISACA show that by 2019, the industry will need 2M more security experts than will be available:
This fact will certainly mean that the average wage and therefore the costs associated with filtering false positives from automated scanners will only have one direction to go: upwards.
On top of that, we need to consider the fact that the current IT infrastructures and applications that those scanners protect will most certainly explode in quantity with the advent of the Internet of Things (IoT):
It is estimated that by 2020, there will be more than 30 Billion IoT devices on the planet, in addition to the current growing number of assets companies have to protect.
You can expect the enterprise networks of tomorrow to have light bulbs, switches, thermostats, appliances, desks, chairs, pens, clothes, and a plethora of other IoT devices connected to their network and in dire need of IoT security. After all, if there’s enough IPv6 addresses to assign every atom on the surface of the earth we should expect IoT manufacturers to make the most of it…
This is also confirmed by recent Gartner reports citing IoT Security as the top subject for the years to come.
With these two aspects considered, it quickly becomes apparent that a 50% rate of false positives is not sustainable and that we need better solutions.
That’s why at Delve Labs we’re convinced that Artificial Intelligence, and especially Machine Learning at scale, has a great role to play in helping infosec experts secure the IoT infrastructure of tomorrow by leveraging the network effect and minimizing the time lost chasing false positives.
Though there can be many different approaches to address this issue, one thing’s certain: the industry cannot satisfy itself of coin-flipping precision to find vulnerabilities at an IoT scale.