Using IR Automation to Overcome the IT Skills Gap

By Alex MacLachlan October 27, 2016 incident-response, security-orchestration-automation-response

“Cyber threats have evolved from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.” Steve Morgan, Hackerpocalypse: A Cybercrime Revelation Nearly half of all cyberattacks strike small and mid-sized businesses, and today’s enterprise IT databases and infrastructures face more complex, sophisticated hackers that seem capable of getting around even the most well-equipped corporate perimeter defense systems. To mitigate this ongoing, evolving cybersecurity threat, many organizations have turned to automated third party incident response platforms and Managed Security Service Providers (MSSPs) to assist with threat detection, triage, and response. With an increasingly hostile cybersecurity climate and a cybersecurity unemployment rate holding strong at zero percent, it’s no wonder businesses of all sizes are experiencing shortages of skilled, experienced cybersecurity and incident response (IR) personnel—and the trend doesn’t appear to have an end in sight.

Increased Cybersecurity Threats Mean Overworked Teams and Fewer Professionals for Every Job

An increased demand for qualified cybersecurity personnel and skyrocketing job security expectations are bolstered by dismal cybercrime statistics and their associated costs: estimated cyber crime damages will cost companies more than $6 trillion annually by 2021, up from the $3 trillion estimated last year—with an expected global investment in defending against cybercrime to top $1 trillion between 2017 to 2021. Gartner predicts that the future isn’t much brighter: “By 2020, 30% of global enterprises will have been directly compromised by an independent group of cybercriminals or cyberactivists.” While zero-day vulnerabilities continue to rise and the volume of cyberattacks expands by the minute, manually entering threat and incident data along with time-consuming reporting tasks are making daily workloads untenable for overworked, harried IT incident responders. And with time to compromise in the seconds and minutes, a manual human response is sometimes simply not realistic—or effective. According to Verizon’s 2015 Data Breach Investigations Report, “in 60% of network breaches, hackers compromise the network within minutes.”

Automation and Unified Incident Response Platforms Can Lessen the Burden on In-House IT Teams

It is possible and indeed preferable to lessen the skills gap and compensate for cybersecurity industry workforce shortages by making more efficient, productive use of your organization’s existing IT talents. This means reducing the workload on IR teams by utilizing a unified incident response platform and leveraging automation and data analytics wherever possible. By reducing stress and overload on IR teams, organizations can foster a more holistic approach to proactive and reactive cybersecurity that lets IR professionals focus on more complex tasks like response and remediation. Advances in threat intelligence provide cybersecurity teams with a wealth of real-time information—but sometimes, the sheer volume of information can be debilitating, stopping even the most seasoned cybersecurity professional in their tracks. For many IR teams, a barrage of cybersecurity alerts combined with a lack of available, qualified team members to triage, analyze, and remediate threats results in an overburdened workforce that become prone to mistakes and oversights. These shortfalls can lead to events, incidents, or worse: full-blown, catastrophic data breaches.

When It Comes to Skills Shortages, It’s Often About the Shortages—Not the Skills

Even teams made up of well-seasoned cybersecurity professionals experience shortfalls that result not from the skills they have in their arsenal, but by their reduced capacity to deliver on those skills. The following three time-sinks are often collectively responsible for taking IT teams away from their more complex response and remediation responsibilities:

  1. Reporting is a time-consuming—but necessary—process. Talented IT teams often spend weeks or more in each quarter mired in spreadsheets, trying to make sense of raw data to turn it into something useful for something the CIO or IT operations. To make matters more complicated, changes to the IT environment can happen between data uploading and communication, often resulting in inaccuracies in the ultimate report—which then need to be corrected and improved upon, costing teams even more valuable time.
  2. The “basics” are too often in the skilled cybersecurity tech’s wheelhouse. Maintaining good cyber-hygiene isn’t easy, and providing a baseline level of security across departments is a constant struggle. When advanced security professionals discover issues and gaps in baseline levels of protection like operational status, coverage, and effectiveness, they must often redirect their efforts to investigate the inconsistencies across the whole IT environment.
  3. Constant firefighting creates a diversion of talent and time. Security intelligence feeds are exceptionally intelligent these days—and with this increased proficiency comes an increase in data output. Noise—and not signal—are typically a big part of that, and cybersecurity teams often find themselves inundated with more data than they can handle. The initial phase of sorting through data can take over much of an analyst’s time, leaving little to none left for determining effective actions to combat threats. Automation can make this step easier by correlating threats and managing newly discovered incidents, so talented analysts can stop firefighting—and instead work with the data to create solutions.

Automation is key to helping IT security teams effectively identify threats, analyze data, and measure risk—it frees them up to prioritize a response that mitigates damages and reduces the overall risk to the organization. With automation, IR teams achieve a better balance between detection and prevention; improved data analytics allow for transparency and visibility across the IT environment; and streamlined reporting delivers user-friendly, meaningful, and accurate information for key stakeholders.

D3’s Automated Response Dynamics Engine Boosts IR Teams’ Efficiency from Triage Through Remediation

Manual threat detection and response is often too varied and inefficient to manage the massive amounts of precursors, incidents, indicators, and threats that confront IT teams daily. IR teams benefit from automation and analytics with a streamlined workflow of the entire process—without requiring the analyst to step outside the IR platform for relevant information at any stage. D3’s Response Dynamics Engine was created with this in mind. D3 works with IMB’s QRadar (and many other SIEMs and threat intelligence feeds) to incorporate infrastructure data that gives teams the full context of threats and incidents with WHOIS, SSL certificates, Passive DNS, web components, host pairs, and real-time analysis of data sets. D3’s Response Dynamics Engine automates response plans and orchestrates workflows and processes to allow IR teams to focus on more complex, strategic tasks. D3’s Response Dynamics Engine in combination with QRadar and other SIEMs and threat intelligence feeds enables teams with automated, actionable threat intelligence by providing:

  • Automatic offense triage and escalation. By inspecting source IPs and domains within open events, IT analysts know immediately whether they are malicious.
  • Contextual metadata at the click of a button. D3’s Response Dynamics Engine offers an intuitive, user-friendly dashboard that provides analysts and IR teams with a comprehensive understanding of threats from external IPs and domains.
  • Analyst feedback loops offer enhanced end-use. IPs and domains are categorized as suspicious, malicious, non-malicious, and unknown, so analysts can make informed decisions and confidently move forward with only the most important threats.
  • Personalized content. Users can conveniently switch between the bi-directional D3 incident response platform, SIEMS, and other threat intelligence feeds to customize their analysis and response capabilities.

D3’s Response Dynamics Engine automates and unifies incident response in an integrated process that connects the entire incident lifecycle with proven playbooks to enhance task orchestration and a tailored, dynamic response that is continuously refined at every step. By combining a D3’s centralized information knowledge base and advanced automation to speed up threat validation, escalation, triage, and response, you can foster a dynamic threat response with reduced dwell and rapid mitigation from the earliest stages of detection through the final phases of remediation. When you automate your incident response with D3 Cyber’s unified incident response platform, your organization’s incident response team benefits from a comprehensive, collaborative system that lessens the skills gap, maximizes your talent base, and empowers each team member to be more productive, efficient, and effective than ever before.

 

To learn how D3 can provide value to your organization, click on the button below to schedule a personalized demo

Alex MacLachlan

Alex MacLachlan

Alex is the Director of Marketing at D3. He oversees D3's marketing, communications, and digital programs. He enjoys fishing, "checking the analytics", playing golf and watching hockey - in that order.


Comments

Add a comment:

email

username

url

your comment

Your comment will be revised by the site if needed.