I was working with one of our customers this past week on a new use case. He oversees Security Operations for a global bank (a very large financial institution). Given their size, budget and massive investment in security technologies, it would appear to an outsider that they have it all figured out. They have all the latest, cutting edge, next gen firewalls, endpoint protection, DLP, threat feeds, sandboxing, SIEM, etc… Their sec ops department should be running seamlessly, right?
He shared with me his main concern with regards to the increased volume of security events, which his team is unable to efficiently resolve. Additionally, the increasing concerns of not becoming the next big high-profile security breach. This scenario is all too common to me, I chuckled out loud; “You’re caught in the riptide of alert fatigue!” It’s not a fun place to be and once you are in, it’s hard to paddle out. Organizations, large and small, seem to have fallen into the common trap of heavily investing in security point products that focus on prevention and detection, and once they’ve done so, they assume that their security program is complete. Au contraire mon frère! They have no security incident response processes or technology in place, alert fatigue is inevitable. Even the best preventative and detective security solutions fail. It’s not that they’re not good or that I don’t recommend using them, (I do). It’s just the nature of the beast, hence the security principal, defense in depth. Regardless, without solid investments in security incident response process and technology, organizations are left with a huge gap in their incident response (IR) process, which results in a massive current of security events and “alert fatigue” in the SOC. Our customer didn’t find this as comical as I did. To me the solution is clear. They and companies alike need to shift the focus from threat detection towards improving incident response.
A Security Incident Response and Automation platform will automate and guide the user through steps required to properly manage a security incident end-to-end. In a white paper on Accelerating Security Incident Response Resolve System’s highlights the three core capabilities you should look for when selecting an incident resolution platform.
To learn more about the challenges of scaling security incident response teams and the critical role that a security incident response and automation platform plays in accomplishing this read the complimentary white paper
More Resources for Security Leaders:
Automating network health checks & diagnostics accelerates service restoration during severe weather