[BreachExchange] How to Shed the Security Operations Doldrums

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 25 19:51:14 EDT 2018


https://www.securityweek.com/how-shed-security-operations-doldrums

As a security analyst, you’re probably stuck in the security operations
doldrums. You spend 80 percent of your time doing repetitive,
administrative tasks and only 20 percent (if you’re lucky!) on
investigative, challenging and rewarding work that stops the bad guys and
keeps your organization more secure. Security leaders suffer the effects of
the security operations doldrums as well. Here’s an all too familiar
scenario.

Every day security teams are bombarded with a massive amount of log and
event data from each point product within your layers of defense and/or
your SIEM. Not to mention the millions of threat-focused data points from
commercial sources, open source, industry and existing security vendors
that can be used to contextualize and prioritize these alerts. The noise
level is deafening. You can’t – nor should you – investigate everything.
So, you go with your gut, and pursue what seems high priority. You start
the tedious and time-consuming process of manually correlating logs and
events to see what is relevant and merits further investigation. Inevitably
you uncover conflicting information, and confusion mounts as data and
activity is referred to differently by different systems and teams across
your security operations. This happens all day, every day.

Security leaders must deal with the fallout. From a security perspective,
your teams are bogged down in mundane tasks and reacting to alerts. They
don’t have the time to combat real threats and conduct investigations
quickly to mitigate risk, or to proactively strengthen defenses. From a
human resources perspective, you also feel the pain. The existing
cybersecurity talent shortage makes it difficult to hire more people to
share the burden and equally difficult to retain the talent you have. As
employees become less engaged they are less productive and more likely to
leave. Turnover is expensive – costing companies up to 200 percent of an
employee’s annual salary. So how do you overcome the security operations
doldrums? Flip the equation so security teams spend 80 percent of their
time on investigative, challenging and rewarding work and only 20 percent
on repetitive, administrative tasks. To do this you need automation.

There’s a lot of talk in the security industry about automation. It helps
you get more from the people you have – handling time-intensive manual
tasks so they can focus on high-value, analytical activities. But if you
automate too late in the security lifecycle your efforts could backfire.
You need to introduce automation early, beginning with contextualizing
alerts and events for prioritization. And how do you add context? Through
threat intelligence, which has become the foundation to the activities your
security operations center handles.

By starting with prioritization of threat intelligence to ensure relevance
to your company and your environment, you can then understand which alerts
are higher in priority than others. Because you need to use multiple
sources of threat intelligence, you need a single platform to manage and
automate the process. Applying automation to score and prioritize the
massive amounts of threat data teams are bombarded with continuously not
only eliminates a lot of the manual tasks to determine relevance, it also
helps cut down on the noise. Intelligence feed vendors may provide “global”
scores but, in fact, these can contribute to the noise since the score is
not within the context of your company’s specific environment. Worse yet,
when uploaded to your SIEM or sensor grid they can generate more noise in
the form of false positives and security operators end up chasing ghosts.
By applying automation early, security analysts have the context they need
to understand real threats faster and can investigate only the high
priority alerts.

Automating threat intelligence prioritization also allows you to
proactively deploy the right intelligence to the right tools with greater
speed and confidence. You can immediately and automatically update your
sensor grid (i.e., firewalls, IPS/IDS, routers, web and email security,
endpoint, etc.) and alleviate much of the manual and fragmented effort
typically required. Security personnel can stay focused on their priorities
instead of having to stop what they are doing to log into each tool to
upload, test and deploy the latest intelligence. Depending on the amount of
data and your security infrastructure, automation can optimize processes
that would otherwise require a small army of full-time security analysts to
do manually.

When security teams and automation come together early in the security
lifecycle, you’re positioned for success. You spend less time in alert
triage and more time using threat intelligence to accelerate security
operations. That 20 percent becomes 50, 60 or even 80 percent, allowing you
to do more with the talent you have – and do it better and faster. With
security effectiveness measured by mean time to detection (MTTD) and mean
time to response (MTTR), shedding the security operations doldrums
mitigates risk to your organization and your team.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180625/de240604/attachment.html>


More information about the BreachExchange mailing list