Being chronically understaffed means that SOC and IR teams are hit doubly hard by sudden increases in the volume and sophistication of security alerts. Analysts on these teams must contend with dozens of systems and data sources, and largely manual investigative processes. This forces analysts to spend an inordinate amount of time information gathering, and investigating false positives—at the expense of increased dwell and remediation times for the real security incidents.
Fortunately, context-gathering and filtering out false positives are two actions that are significantly enhanced through IR automation and orchestration. The newest version of the D3 platform—available now—includes several new automation features that streamline formerly time-consuming tasks and allow analysts to focus on real security threats. These new capabilities are designed to empower the analyst, and save time, in three specific areas: gathering information, making decisions, and taking action.
One of the driving forces behind these features is Vahid Foroushani, Ph.D, CISSP, the Chief Scientist and CISO at D3. As a former level IV security analyst and researcher at IBM, Vahid knows how much time gets wasted in the typical incident management process.
“Analysts can spend 80% of their time tracking down and analyzing contextual information”, according to Vahid.
“Automating the investigative process so that it happens in seconds, while ensuring the analyst has all the information he or she needs to triage and respond, is one small step with big benefits in terms of time saved.”
The D3 Incident Response Platform employs automation and orchestration features throughout the incident management lifecycle, including automatically escalating SIEM alerts, the enrichment of data from threat intelligence (such as FireEye iSIGHT), domain reputation (such as DomainTools), and malware research (such as VirusTotal), and executing low-risk security actions.
“By bringing information from these sources into the incident response platform, the analyst can see the full context of the initial alert, and very quickly determine if it warrants further investigation, or whether it’s a false positive.”
Based on the data compiled by the system, D3 can dramatically decrease the time analysts spend investigating false positives by creating a false positive probability score for each new incident. If the score is high enough, the incident can be resolved automatically without the need of an analyst.
In Vahid’s experience, this process can reduce the number of incidents that require a human analyst’s attention. By using data mining and machine learning, the D3 system will use historical data to determine if new alerts are likely false positives. The more data the system gathers, the more accurate it becomes.
While the bulk of an analyst’s time is spent investigating incidents and sorting out false positives, D3’s automation has the capability to take it a step further and perform simple actions such as closing a port or blocking an IP.
“While automating information gathering and false positive management is a great first step, every organization still has a lot of low-risk, high frequency security actions,” according to Vahid.
“With D3, organizations can select the level of automation they are comfortable with…whether that means fully automating security actions, or requiring human approval whenever certain conditions are met, such as when an important asset or company executive is targeted.”
To learn more about how an incident response system with automation and orchestration can decrease response times and increase the productivity of your SOC download the Saving Time with Incident Response Briefing.