Automating security incident response management offers the promise of reducing costs while enabling hard-pressed security teams to achieve greater efficiency and a more effective response to critical incidents, without additional expense.
Security teams under pressure
The landscape of information technology continues to evolve, as the services provided by IT become ever-more-closely aligned to the business drivers of the organisation. However, the rapidity of change in the type and origin of threat has forced organisations to deploy increasing numbers of solutions to detect, correlate, and remediate events in short timeframes.
Sadly, this proliferation of discrete solutions has resulted in greater pressure on already over-stretched security teams. Lets face it, its not like we hired more people in 2009. In many cases, we reduced staff. And while the business and regulatory impact of breaches has become one of the most frequently cited concerns among IT security decision-makers, the ability of security teams to respond to these threats has remained, at best, stagnant.
The need for automation
Over the years, weve deployed everything from next generation firewalls to the latest in host-based intrusion prevention technologies. While such technical solutions have provided some short-term relief for specific problems, they have also become an event management problem for the security teams that manage them. The proliferation of point solutions has, in effect, done nothing more than provide a temporary dam against the full force of the security issue facing the organisation. Outsourcing hasnt been our saviour either, as costs have increased alongside the complexities of managing our own environments.
While most organisations have some form of methodology defined to respond to security events, these may not be formalised into processes that lend themselves to direct translation and automation. A good place to start, then, is to identify a handful of manual tasks that could provide immediate cost reductions. These processes should be focused on dealing with less critical, operational security event management tasks.
Examples could include:
• Assigning alerts to the correct security administrators
• Populating tickets in a ticketing system for incidents
• Modifying a monitoring scope temporarily on critical systems in response to a detected event or vulnerability
• Responding to a password reset event
• Responding to an addition to a group with high privileges
An example in more detail
The last example is a common type of event, in which a user is added to a highly privileged group that might require review and authorisation by either the business owner of that group or a security administrator.
The process could include detecting a user being added to a Microsoft Active Directory (AD) group, and ensuring that the details of the user addition are sent in an e-mail to the appropriate stakeholder.
Sign up for Computerworld eNewsletters.