"The first thing people ask is: 'What do I do to make this go away? Who do I write a check to?' You have to realize that doesn't work."
Joseph Loomis, founder and CEO of CyberSponse, agrees with Parrella that "denial" is a major reason for the failure to detect. And from that denial proceed problems like not being open to "new, cutting-edge technologies on the market," and a failure to admit that, "their current solutions are broken or ineffective."
Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, echoes Bejtlich's view that there is still a perception that technology will make everything secure.
"The failures are not due to lack of buying, but a lack of doing," he said. "The tool may have produced an alert, but no skilled analyst was available to interpret it, which is a people breakdown. Or, the analyst was too busy with other things to care, which is a process breakdown."
Without the right security analysts and workflows, "the boxes won't do it," he said.
What will do it? Bejtlich quotes Bruce Schneier, security guru, author and CTO of Co3 Systems. "He (Schneier) said this about 10 years ago -- it's only two words, but it's still one of my favorite things he's ever said: 'Monitor first.' That summarizes the best advice you could get," Bejtlich said.
There is general agreement among experts about that, but also that effective monitoring requires good tools and good people. Chuvakin noted that the attacker is not a machine but a person. "In many cases, an expensive tool, such as SIEM, DLP or network forensics, has already been purchased and deployed, but no equally expensive, skilled, motivated and passionate security analyst was put in front of the console," he said. "In security, we're not fighting the tools, we are fighting the people on the other end."
Koller agrees that the solution is not simply to, "buy the latest software or technical gadget. Instead, enterprises need to dedicate staff and resources to staying up-to-date in the latest security developments and patching the numerous vulnerabilities as they are discovered," he said.
He recommends creating, "a baseline metric of your systems and normal network traffic patterns and then reviewing logs and event managers for signs of anomalies or unusual activity. Compare any irregularities against the baseline."
But people have limits, according to Loomis, who said it is not possible to monitor effectively without automation, because of the "sheer number of attacks. If you're not going to automate and accept that you're going to have some false positives in there which might inconvenience people, you will be on the top of the list for being compromised," he said.