I was working with one of our customers this past week on a new use case. He oversees Security Operations for a global bank (a very large financial institution). Given their size, budget and massive investment in security technologies, it would appear to an outsider that they have it all figured out. They have all the latest, cutting edge, next gen firewalls, endpoint protection, DLP, threat feeds, sandboxing, SIEM, etc… Their sec ops department should be running seamlessly, right?
Shifting Focus from Threat Detection to Incident Response
He shared with me his main concern with regards to the increased volume of security events, which his team is unable to efficiently resolve. Additionally, the increasing concerns of not becoming the next big high-profile security breach. This scenario is all too common to me, I chuckled out loud; “You’re caught in the riptide of alert fatigue!” It’s not a fun place to be and once you are in, it’s hard to paddle out. Organizations, large and small, seem to have fallen into the common trap of heavily investing in security point products that focus on prevention and detection, and once they’ve done so, they assume that their security program is complete. Au contraire mon frère! They have no security incident response processes or technology in place, alert fatigue is inevitable. Even the best preventative and detective security solutions fail. It’s not that they’re not good or that I don’t recommend using them, (I do). It’s just the nature of the beast, hence the security principal, defense in depth. Regardless, without solid investments in security incident response process and technology, organizations are left with a huge gap in their incident response (IR) process, which results in a massive current of security events and “alert fatigue” in the SOC. Our customer didn’t find this as comical as I did. To me the solution is clear. They and companies alike need to shift the focus from threat detection towards improving incident response.
The Critical Role of a Security Incident Response and Automation Platform
A Security Incident Response and Automation platform will automate and guide the user through steps required to properly manage a security incident end-to-end. In a white paper on Accelerating Security Incident Response Resolve System’s highlights the three core capabilities you should look for when selecting an incident resolution platform.
- Guide and orchestrate the incident response: The ability to ensure security incidents are quickly investigated, tracked and acted upon. Take protective measures and capture timeline of events along with identifying and preserving evidence and artifacts in a secure and reliable manner.
- Automate as a part of the process whenever feasible: Response to security incidents follows a consistent, repeatable process that can be executed quickly through a combination of automation, guided procedures and knowledge by more readily available, lower-cost resources, while increasing the productivity of more expensive and scarce expert resources.
- Leverage best-practice playbooks to get started: Orchestrate and execute cross-functional activities required to manage security incidents at the enterprise level using rule based procedures.
To learn more about the challenges of scaling security incident response teams and the critical role that a security incident response and automation platform plays in accomplishing this read the complimentary white paper
More Resources for Security Leaders: