by Stan Engelbrecht, Director of Cybersecurity Practice, D3 Security
Most companies that are struggling with their incident response program fall into two categories:
- They don’t realize what their problems are, because they’ve always done things a certain way
- They know exactly what their problems are, but don’t have the resources to fix them
Whichever category your company is in, you probably have many of the same problems as other organizations. There are a handful of universal issues with which almost every incident response program struggles. Incident response platforms (IRPs) have always offered some assistance with these issues, but recent advances in automation and orchestration technology have vastly expanded the impact an IRP can have.
In this article, we’ll look at five of the most common incident response problems and how an IRP that leverages automation and orchestration can help solve them.
Problem #1: Lack of Personnel
It’s no secret that most SOCs are understaffed and overworked, so perhaps the most obvious problem for many security analysts is that they are too busy to give major incidents the time they deserve. Unfortunately, this problem reinforces itself: if a company is unable to hire enough analysts, their analysts become stressed and dissatisfied. Those employees are more likely to quit, which makes the hiring problem even worse.
An IRP with automation features can solve the two problems going on here: the quantity and quality of analysts’ workloads. With automated investigations and actions, analysts don’t have to spend their time on repetitive low-risk tasks. Automated risk scoring to identify false positives also reduces the number of alerts analysts need to respond to, and automated reporting and notifications mean analysts can collaborate without getting bogged down in time-consuming administrative tasks.
Being able to focus primarily on challenging security incidents keeps analysts happy, and should result in lower turnover across your security team.
Problem #2: Lack of Context
Ironically, the problem that security analysts face isn’t a lack of information; it’s that there’s too much information with no way to make sense of it. In most SOCs, an overwhelming amount of security data comes in from numerous systems, but stays in those separate repositories. When an analyst is evaluating a new incident, they must gather the information they need manually, going from system to system.
With automation in place, each incident can be enriched with both external (e.g. threat intelligence) and internal information (e.g. SIEM data, link analysis, previous incident records). This instantly reveals the context of the incident, not only saving analysts from having to waste time gathering data, but also isolating the important information to inform their decisions.
Problem #3: Lack of Scalability
Your existing incident response processes might work fine—but only at a certain scale. Manually managing tasks, communications, and investigations is feasible for minor incidents, but when a major incident hits, you’ll be in trouble. Incidents that involve compliance reporting, complex forensics, and thousands of workstations will quickly reveal the shortcomings of an ad hoc incident response program.
A centralized platform with automation and orchestration features is the best way to scale your response capability and prepare for major events. Automation allows you to conduct investigations and conduct actions at a large scale, instead of, for example, manually pulling data from every affected system and blocking individual IPs. Orchestration features leverage centrally logged data to communicate tasks across teams and execute workflows throughout the company, facilitating fast and consistent response at scale.
Problem #4: Lack of Collaboration
In most organizations, teams work in siloes. These divisions are reinforced by the tools teams use because, without common software solutions, it is especially hard to communicate securely, share data, and work together on tasks. Many companies are forced to rely on emails, spreadsheets, and other makeshift methods for communication and collaboration.
For collaboration to be efficient, secure, and properly documented, there needs to be one centralized system that supports users beyond the security team. An IRP with security orchestration features can perfectly meet this need. Automated notifications, reporting, and task assignments make collaboration part of the everyday workflow. Task management dashboards and case management folders enable users to track and share work across teams. As an added benefit, a strong IRP will have configurable access controls, so data confidentiality can be preserved when sharing incident records between teams.
Problem #5: Lack of Prioritization
Reducing incident volume isn’t the only way to alleviate the strain on your analysts. You can also do it by effectively prioritizing the incidents they deal with. Many companies don’t have a way to determine how potentially serious an alert is until after it’s been investigated. This leaves most analysts spending the majority of their time chasing after alerts that turn out to pose no real threat.
Organizations with solid incident record data have an incredible resource to tap into, yet many don’t even realize it. By tagging every resolved incident as either a false positive or a true positive, you can build a dataset that your IRP can mine to learn what factors most highly indicate false positives. Then automation and orchestration can be used to automatically resolve events that are very likely to be false positives or sort them to a lower priority position in analysts’ queues.
About the Author
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.