Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
5/25/2016
12:00 PM
Brian Dye
Brian Dye
Partner Perspectives
50%
50%

1 Security Incident x 4 Tools x 8 Roles = 8 Days

Collaboration can significantly improve this equation.

Collaboration may be the key to enhancing your security responsiveness, according to a recent global research report. Improving how your teams and products work together, including enhancing communication flows, fostering trust and transparency, and automating time-consuming tasks, could increase flexibility and effectiveness by 38% to 100%, depending on the size of the group. The bigger the group, the higher the potential improvement.

Our new global survey of 565 security professionals indicates the continuing need for greater effectiveness. Security operations teams are being inundated with security events as attacks and threat vectors increase in volume and variety. On average, investigations take people from up to eight different roles within the organization, using four or more security tools, eight days from detection to clean up.

Ironically, the groups with more advanced threat- and incident-management solutions conducted twice as many investigations because they had more detailed data and could detect more sophisticated and subtle attack behaviors. Almost half of those with advanced threat- and incident-management tools were able to shorten their average investigation times.

With the number of tools and people involved, respondents indicated that collaboration could improve effectiveness. The surprise was how big an impact they thought enhanced collaboration between the security analysts, incident responders, and endpoint and network operations teams would have. Centralized orchestration among these players was predicted to deliver a 38% to 100% improvement in effectiveness. These findings are promising for anyone worried about the cyberskills shortage and our ability to combat evolving threats. We can do more with what we already have.

It isn’t just about real-time alerts and case-management workflows. Our research identified three critical areas to develop: communication, trust, and automation.

Communication

Security investigations are iterative; the next step is influenced by the situation rather than prescribed by process. There are also so many people and products involved in a typical investigation, from different sites and time zones, that any form of manual communication or integration introduces delays and errors.

Given these hurdles, developing and enhancing orchestration between security products enables a host of time-saving human communications, including role-specific dashboards and monitoring tools, real-time visibility, policy and process-driven workflows, and access to current and historical event data. These, in turn, provide the most significant way to reduce incident response times by delivering more accurate and up-to-date information and prioritizing the areas in which to act.

Trust

Following closely on communication is developing higher levels of trust and transparency among teams, both internal and external to security operations. The two critical components of this are confidence that the information being received is accurate and complete, and confidence that work will get or has been done. Leading by example is critical here, demonstrating your trust in others and avoiding blame.

Having an incident-response game plan, practicing real-life scenarios, facilitating and coaching through each incident, and debriefing for the next iteration help create a positive attitude and continuous process improvement. This in turn encourages people to contribute as needed, even outside of their primary roles.

Automate-ability

Finally, the security skills shortage is not going away. Scripting critical time-consuming local and remote tasks is a good way to start down the road of getting your security tools and computing machines to shoulder more of the load. Our survey found a significant willingness to automate or semi-automate many tasks that traditionally require human intervention. Some are low risk such as clearing a browser cache or restarting a Windows service; some are higher risk such as isolating a host, rebooting a system, or reimaging a disk. Survey respondents showed that low-risk tasks could be fully automated, and the higher risk tasks could be automated with a pause for human approvals. Consult the report and infographic for specific examples of automation preferences.

Our survey indicates that improving collaboration across people, process, and technology can have significant benefits, connecting the tools and roles to shorten critical security operations metrics: times to detection, containment, and remediation.

For more information on how collaboration can improve your security equation, and other findings on advanced threat and incident management, download the full report How Collaboration Can Optimize Security Operations.

Brian Dye is corporate vice president in the Intel Security Group and general manager of the group's global security products at Intel Corporation. He is responsible for Intel's global corporate security product portfolio and worldwide engineering, including product ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.
CVE-2012-6071
PUBLISHED: 2019-11-19
nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.
CVE-2012-6135
PUBLISHED: 2019-11-19
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.
CVE-2016-10002
PUBLISHED: 2019-11-19
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.