It’s a common problem in any workplace: you get so caught up dealing with a constant stream of tasks that you never have the chance to evaluate how you’re going about them. This can go on for months or even years before someone takes a step back and realizes that implementing selected process improvements could save time, money and effort in the long run.
At D3, we know security operations centers (SOCs) and incident response (IR) teams face this problem, particularly in the daily deluge of security alerts. Fortunately, technologies like D3 allow IR teams to streamline and automate key IR functions, easing the management of alerts and focusing resources on the threats and tasks that matter. Read the following five steps to find out how our customers have brought the adage “work smarter, not harder” into their SOCs and IR programs.
Every company has unique risks, assets and security priorities. So then why do so many companies use a cookie-cutter approach to risk management and incident response? In order to streamline your IR process, you need to zoom out and think about what, and where, your organization’s most important risks and assets are.
This initial assessment should inform every subsequent decision you make. What tools to use, what data to collect, how to set workflows, how to prioritize, etc. Building response solutions for the risks most applicable and damaging to your business are the first step to an effective, streamlined and risk management-guided IR program.
To start this process, identify your truly indispensable assets. For some companies, this will be their intellectual property. For example, think of the lengths that Coca-Cola and KFC have famously gone to protect their secret recipes. For other organizations, customer data might be a tempting target for attackers. Think of the massive breaches of personal information at Yahoo and Sony. Some industries are at elevated risk for specific methods of attack. For instance, ransomware is an increasingly common attack against healthcare organizations—as seen in the recent WannaCry campaign, which included the UK’s National Health Service among its many victims. Clearly, healthcare organizations should be prioritizing response for ransomware (a threat) and protecting patient data (an asset). Ask yourself what threats and assets exist in your industry?
One of the greatest sources of inefficiency in the IR process is the space between when an event is detected and when an analyst sees it. In many companies’ IR programs, analysts play catch-up against an unrelenting volume of events, most of which pose no genuine security threat.
In a streamlined program, a manageable number of events will be shown to analysts in the form of alerts. This queue will only contain significant incidents that require human input, with as few false positives as possible. The trick is to achieve this goal without missing any high-risk events, which requires a well-designed alert system.
The first step toward improving your alert system is to use an IR platform that integrates with your SIEM. This integration should allow you to configure a set of rules to automatically determine which events get escalated to your analysts, saving them the time required to manually sort through raw SIEM events.
Additional efficiency can be added by a solution that enriches escalated alerts with contextual SIEM data, external threat intelligence, and even relevant information from your previous incident records. This process provides your analysts with the full picture, giving them valuable data to inform fast and decisive action.
Another step you can take to reduce the strain put on your analysts is to emphasize building the narrative of security incidents. This means, rather than starting from scratch with each alert and manually gathering the information they need to understand it, the analysts are provided with information to contextualize the event.
A solution that supports this narrative-driven approach will build on the data gathering described in the previous step. This additional information may include link analysis, to demonstrate relationships and patterns connected to the incident; and entities, which are the people, places, and things related to the incident.
Your team has probably already experienced thousands (or, depending on the company, maybe millions) of events, so leveraging that data source is valuable as well. Link analysis, timelines, evidence tracking and historical incident records can all contribute valuable information to an incident’s narrative. Does the current incident have commonalities with past incidents? Is it part of a larger case or investigation? These are important questions to ask, in order to focus resources n the priorities and avoid duplicate or unnecessary work.
In many companies, analysts spend a great deal of time gathering and communicating information. This might include:
These are all important tasks, but they cause a lot of busywork for analysts who probably already have too much on their plates. This makes reporting a great area in which to save time by streamlining and automating some processes.
An efficient IR solution will keep centralized records of the information you need, and make it simple to share appropriate data sets. Pre-scheduled reports remove the need for continuous manual intervention, and case management features make collaboration and escalation easy, with full contextual information included.
Most companies have to do some amount of compliance reporting, and in highly regulated industries like finance, this can be hugely time-consuming. An IR platform with pre-built or customizable reports for your specific compliance needs will not only save your analysts time, but also ensure that the reports contain the precise information that your regulators require, thereby helping you avoid potential fines.
Though the name suggests a purely reactive function, it is a mistake to think that IR can’t help you reduce the number of events your team faces over time. If you treat IR like a game of whack-a-mole, beating back each incident as it pops up, then you’ll never reduce the volume. However, if you dig a bit deeper and conduct root cause analysis, then you can remediate the underlying issue that led to the incident in the first place. If it caused one incident, it’s probably caused a lot more, so root cause remediation can eliminate an entire range of recurring incidents.
Not all IR solutions have workflows to support root cause analysis and remediation, but they are among the best things you can do to streamline your IR program. It’s the difference between merely treating the symptoms and taking the time to understand the disease. The latter will lead to much less time spent being sick in the long run.
Cybersecurity is a marathon, even when the pace feels like a sprint. We know that it can be hard to convince senior leadership to free up some time and budget in the short term for savings and efficiency in the long term, but it is critically important. A streamlined IR process will keep you focused on the real threats to your business, and greatly reduce employee burnout. It’s an investment in your company’s future that is definitely worth making.