Countless articles have been written about the massive increase in alert volume from detection systems - and the resulting drain on scarce security personnel. The good news is that as automation begins to play a stronger role in incident response, the dynamic is shifting. Companies now need to prepare for a world where 99% of time spent investigating and following up on alerts is given back to them. What is the best use of your newly found time and resources? Let’s consider three possibilities.
Process and Methodology
When was the last time you reviewed your security policy? It’s a loaded question, but many companies go years without reviewing and changing policies that too quickly become obsolete, given how fast vectors and methods of attack evolve. Key questions to consider when reviewing security policy include:
- Are we set up for constant improvement? A security policy can’t be written in stone; it must allow for continuous change for improvement. Do you have a process that lets your security policy match the fluid nature of threats?
- Are we reactive or proactive? While many companies struggle to react to the volume of threats and alerts they see daily, security policy should be forward-looking, anticipating what’s coming to prescribe a proper course of action before new threats happen.
- How can security policy be more business-oriented? The idea of simply locking down everything is as quaint as it is impossible. The speed of business, the need for real-time collaboration, and the hyper-connected nature of how people work require us to strike a balance between security and risk. Security has to be a business enabler, not an inhibitor.
- What are we doing wrong? The ability to recognize weaknesses may seem like calling your own baby ugly, but moving past the emotional defense and becoming an objective observer is the only way forward.
What’s Falling Through the Cracks?
When a company implements automated solutions, they can do away with much of the manual work of investigating alerts and remediating threats. But automation will never be able to do 100% of the work. Here’s what security teams need to take on:
- Double-check your automated processes. Randomly check for anything you may have missed. For example, if a new threat type isn’t accounted for in your detection or response processes, you’ll need to address it. If you discover something , update the process and keep improving.
- Validate what you find. Look at what your automated systems have identified and remediated, then try and understand why the incident made it through your defenses in the first place. Fixing an issue automatically is great, but understanding why it happened and correcting the problem is the Holy Grail.
- Hunt! So far, we’ve only touched in dealing with inbound threats, but why not focus on proactive threat hunting? For more on that topic, read Cyber Hunters, Incident Response & The Changing Nature Of Network Defense.
Customize Detection Mechanisms
When companies lack the resources to follow up on alerts, they often tune their detection systems to match their capacity. But in a largely automated scenario, you now have the luxury to:
- Recalibrate your detection systems. When you no longer need to filter out low-level alerts or false positives, you can open the floodgates. If you’re no longer dependent on people to investigate alerts, you can get the full value out of your investment in detection solutions by handing all of your alerts (no matter the volume or score) to your automated system.
- Rethink prioritization and make sure it’s needed. Prioritization is the conscious decision to ignore things based on a score. Reconsider what you aren’t paying attention to now that should be, given your new capacity and automated capabilities.
- Look at what you’ve paid for but don’t use. We’ve all bought tools that are either sitting on the shelf or not fully implemented. What do you have that could bolster your security posture if you had the time to set it up?
In a security environment leveraging automation, there will always be tasks that are better suited for a human than a machine, and vice versa. By shifting security teams’ focus on these higher level tasks, we will make much better use of our human intelligence to combat the ever increasing cyber threat.
- Avoiding The Blame Game For A Cyberattack
- The New Security Mindset: Embrace Analytics To Mitigate Risk
- 20 Endpoint Security Questions You Never Thought to Ask