The Cyber Industry, and particularly Incident Response services and vendors, constantly preach how the sooner a business recognizes and faces a data breach in its infrastructure, the less impact there will be on its data, the confidence shown by its customers and, ultimately, its revenue. It’s rational and no-one denies this premise.
Nevertheless, according to Ponemon surveys for 3 consecutive years, the average time to recognize a data breach has happened is still at around 6 months, and then more than 2 months on average to deal with the problem. This translates into hundreds of billions in annual losses.
The challenges a digital business operation faces are proportional to the value of the data it manages, and the greater this value is, the more hostile the environment. Businesses have become aware of this situation and are equipped with various and expensive technological solutions that need people with the necessary knowledge and experience to manage them.
The number of people with the appropriate skillset for managing security incidents is limited, and if the required knowledge in the organization is missing, the tools acquired will only supply a fragmented view of the facts. This lies in contradiction to the assumption that the more you buy and integrate the better your protection is and puts many CISO’s in a tight spot when they need to explain how the large investment in software and expertise that they pushed for did not prevent the breach.
Without an organized incident management plan, it is very difficult, practically impossible even, to mitigate risk on time without at least a basic documentation and division of responsibilities. The need for speedy resolution also contrasts with traditional solutions for monitoring of indicators of compromise. The volume of alerts handled by analysts is very high at best and their accuracy is questioned as the percentage of false positives is increasing drawing analysts’ attention from serious underlying problems.
Figure 1: Incident Response process
Collecting logs and converting them into alerts via a SIEM platform is a key step in timely detection of compromises. Many Security Operations Centers have begun to monitor their systems through SIEM solutions. However, alerts are not actionable on their own. They actually trigger the start of a process and make sense only when you analyze them in relation to the rest of the environment.
This process of validating and dealing with an attack requires extensive research into multiple systems and effective cooperation between the parties involved. Modern SOCs do not need just a monitoring system, but a complete solution that orchestrates the process to minimize risk in the shortest time reducing detection and response time from months to hours and from hours to seconds.
It may sound excessive, but a typical false positive could be resolved in a few seconds by implementing automation enabled by a SOAR platform, allowing the analysts to invest their time in more serious and complex threats.
Containment must then continue with actions on multiple systems such as firewalls, EDR systems or other security devices, all through the centralized platform. Once the necessary actions have been taken, the analyst can close the incident and send a detailed report to the client. Going one step further, the process described above can be performed as part of an automated playbook to avoid analyzing repetitive tasks such as handling of known false positives, automatically inhibition of low-risk true positives, and prioritization of alerts.
Thus, a process that took a few hours per incident can take up to a few minutes, significantly increasing the capacity of the Security Operation Center and demonstrating the value of investing in an organized incident management plan.
I want to close with this premise: A company may have prepared its infrastructure to avoid a data breach, but we cannot assume that the prevention mechanisms can face every attempt to target a company’s data. That’s why it is important to have an organized incident management plan beforehand.
Once a company has accepted the mindset that you will be breached, and has agreed the most efficient response plan to that breach, they can begin to select technologies and services that optimally streamline the incident management process.
Dionysia Adamopoulou has worked with multiple product teams in the cyber security, mobile marketing and service marketplace sectors. She believes that empathy towards user needs together with a strong strategy can build a successful product that reshapes cyber security and specifically advanced Incident Response. She owns the product leadership for The Enorasys SOCstreams platform.
1.-Other Articles from Encode:
2.-Encode on the Observatory:
3.-Company profile on @CSOFinder