This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Organizations have poured billions of dollars into cyber security detection solutions, and while they are exceptional at uncovering potential anomalies and threats, none of these products can guarantee against a breach. Consequently, the next logical step is to pair robust detection and prevention technology with equally efficient and effective operations solutions, including incident response.
Detection solutions are now generating an average of 10,000 alerts per day, according to a recent survey Damballa--far too many for companies to inspect and manage. Yet, security professionals are still attempting to manually separate false alarms from real threats; decide what action, if any, to take; and then perform repetitive actions like gathering data, conducting basic analysis, and generating notifications and tickets.
Forced to complete each of these tasks manually, many expert security professionals are spending the majority of their days completing what are, essentially, administrative tasks.
Automation as a Solution
Up until now, the way most organizations dealt with an escalating number of events was to add staff. Many CIOs and CISOs still think about security in terms of an alerts-to-employee ratio; that is, they determine the size of their security operations center (SOC) staff based strictly on the volume of alerts they receive from detection solutions. But with the number of alerts rising so rapidly, that strategy is quickly becoming unsustainable.
To progress into a new era for information security, organizations are going to have to automate some of the low-complexity, high-volume tasks that are eating up so much of their experts' time, just like they've done with detection. When an organization has the ability to remove mundane tasks from their experts' plates, they free them up to tackle the more-complex issues.
Process automation, at its core, is about understanding what an analyst does to protect the enterprise or the specific steps the analyst takes to deal with alerts based on factors like source, attack type, severity and other factors. So when you are considering automation, the first step is to break down existing SOC operations so you have an almost minute-by-minute understanding.
For instance, thinking about how analysts respond to particular types of alerts may involve asking them granular questions like, "What are the sources of you alerts?" This seems obvious, but alerts can come from detection technology or be reported by the Service Desk, reported via email or called in by a user. Other lines of inquiry:
- "What applications do they use to investigate alerts?" Do they look up users in Active Directory, an ERP solution or a corporate address book?
- "Where do they get their investigation information?" Does it come from other detection technology, external threat intelligence or an internal configuration management database (CMDB)?
- "How do they make decisions about response based on the information they have available?" Is it based on severity, affected system, affected users or a particular application?
Sign up for Computerworld eNewsletters.