Faster Detection and Response Is a Priority
In security, there is an emphasis on getting it right, but less so on the importance of speed. Similar to an aeroplane cockpit, where there are simulations from multiple screens, flashing lights and beeping noises, Security Operations Centres (SOC) often force analysts into a mindset of alert-driven security – but how do security professionals know that they are looking at the right thing?
Enterprise Firms Suffered in 2017
Security professionals are suffering from too many data breaches. According to a Forrester survey (1), 51% of the firms surveyed had been breached in the past 12 months, with 48% admitting to being breached more than once via external and internal factors. The types of data being breached included personally identifiable information, personal credentials and intellectual property (IP). Since this data is critical to businesses, it’s important that they care about it – after all, it’s what attackers are after.
The survey also found that the biggest concern for businesses was the complexity of their security operations, from running a data centre, using a third-party cloud, keeping up with privacy laws (like GDPR in Europe) and the overall impact on the business. Dealing with these concerns on a day-to-day basis takes up too much time, so staff can only think of what is immediately in-front of them, rather than what’s on the horizon.
Security Analysis is a Manual Activity
An immediate response is for organisations to throw more people at the problem in terms of adding more analysts to handle a manual investigation process. Yet, even the most experienced analyst wouldn’t be able to get through all the alerts. Organisations are drowning in alerts and data that they don’t have the opportunity to threat hunt pro-actively – they are simply being reactive all the time.
The problem is that businesses are not using their tools in the most optimal way – and they have a lot of tools available, whether its network, endpoint, cloud or monitoring. When a security professional has a new problem, they often think that they need more tools to become more secure. However, this creates more things to manage, including alerts, and less control. Building automation into the tools will help solve the investigation problem on the back end and automate some of the decision-making process.
The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today. The reason that speed matters is that the dwell time still averages at 99 days, down from 146 in 2016, according to Forrester (2). Security teams need to be able to detect and respond to security breaches – shortening the breach mitigation timeline should be a business requirement.
Security Analytics Enables Better Detection
So, how can businesses automate some of those processes so that security teams can analyse a true positive when they see it? The answer – they need a new set of tools. By applying threat intelligence to what they see and know about the industry, environment and peers, security teams can proactively hunt for threats in the IT environment and know if someone is trying to exfiltrate data.
As part of the tool set, security teams must also have better context into alerts so that they can make sense of what they see. Using security analytics to collect and analyse disparate data, enables the analyst to make good and quick decisions through increased visibility, deeper security context, improved workflows and automation.
Security analytics tools enable analysts to analyse all incoming IT data and then assign an ‘attack confidence score’ based on whether it is a real threat. The question is, do they then have a policy in place for automated response? Or if it’s a low-risk alert (and they are not sure if it’s real), then at what point do they understand the risk to the data the company holds and send it to an analyst to follow up?
“Automation is not a four-letter word in security. We need to embrace analytics and automation to speed detection and response.”
–Joseph Blankenship, Senior Analyst at Forrester
Embracing Automation in Security
But, historically, security professionals have shied away from automation, due in part to the risks of stopping legitimate traffic or disrupting business, as well as the belief that they need a human analyst to research and make decisions.
However, automation will speed up response, in terms of alert triaging, context gathering, containment and remediation. According to Forrester (3) 68 percent of security professionals state that using automation and orchestration tools to improve security operations is a high, or critical, priority.
Automation Requires Defined Rules of Engagement
To enable automation, security teams need to know the business, establish when to automate and when to send a human analyst, as well as develop operational play books around consistent policies and processes. By understanding how and when to protect their most sensitive data, security teams can build policies based on data risk, embrace automation and keep up with the rest of the business as it grows and changes.
Improving SOC Effectiveness and Efficiency with Faster Detection and Response
In a SOC, there are often many tools used to handle hundreds of thousands of alerts, so without a single platform that provides visibility across networks and endpoints, it’s difficult to measure how much time organisations can spend, how effective they are looking at false positives, and how many alerts really matter.
With security automation, organisations can measure productivity in terms of how many alerts a security tool can solve versus a manual approach, how much more time analysts can spend concentrating on the things that matter, and how much more quickly they can detect and respond to an attack.
(1). 51% = Q.BRCH1 “How many times do you estimate that your firm’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 1,212 global network security decision-makers. 48% = Q.BRCH1 “How many times do you estimate that your firm’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 604 global network security decision-makers (1,000+ employees)
(2). 2017 FireEye M-Trends Report
(3). Base: 1,169 Security technology decision-makers (1,000+ employees)
Source: Forrester Data Global Business Technographics Security Survey, 2017