The Security Investment Paradox

Detection Tools vs. Response: 6 Tips to Maximize Your Security Investments

It is becoming increasingly apparent that many CISOs are frustrated with the value they are getting from the numerous investments they have made and continue to be requested for, to mitigate security risks. Often the SIEM platform and volume of alerts it raises is a cause of contention, but what it does highlight is the much needed improvements required to drive the efficiency of the incident response team.

Security organizations are presented with competing options for technology investments and focus. These security investments can be grouped into two categories, “detection” and “response” tools.

Source: Forrester Research Inc. 2014

What we’re observing is the realization by many organizations that it’s their capacity to be able to act or take actions on these alerts that determine the real value that is derived from their security investments. For example, adding User & Entity Behavioral Alerts (UEBA) capabilities to enhance existing SIEM investment would not provide value if the response team do not have any capacity to follow up on those alerts.

We have observed that many organizations have come to the realization that, even with the right security technology and investments in place, their ability to take action on these alerts is heavily dependent on their team’s capacity and ability to efficiently follow-up on those alerts. For example, your team has just added on UEBA capabilities to enhance their existing SIEM technology, however, the value of this technology cannot be realized if the response team doesn’t have the capacity to follow up on the alerts.

Unlike IT operations where it is feasible to prioritize critical alerts vs. low impact alerts, with security it is often the “quiet ones” that pose the most danger. Often bad actors may use strategies as Distributed Denial of Service (DDoS) to provide a distraction while they simultaneously make significant strides in their penetration. What this means is that CISO needs to actively extract every possible incident response process and automation opportunity to drive efficiency; especially in the face of limited skilled security analysts and resources. Here are a six things you can do to to maximize your Security investments leveraging human-guided automation:

1. Automate validation of incidents – separate false positives vs actionable alerts
2. Automate context gathering to provide necessary situational awareness
3. Clearly define incident response workflow with step-by-step instructions and process guidance to enable less experienced analysts to resolve the incident
4. Given analysts the power to automate by leveraging human-guided automation and allow complex processes to be automated incrementally vs risky big automation projects
5. Implement a tool that will allow for less experienced analysts to make the right decisions by leveraging machine-assisted decision support
6. Free up limited analyst resources by fully automating repetitive incident types such as malware and phishing

Learn more about how to maximize your security ROI by leveraging intelligent incident response and human-guided automation.

More Resources for Security Leaders:

• Accelerate Security Incident Response White Paper