In a recent webinar, Swimlane Founder and CEO Cody Cornell elaborated on four major causes of unsustainable security operations: an unprecedented volume of attacks, alert fatigue, antiquated response tools and lack of qualified cyber security staff. To deal with these challenges, organizations have tried implementing a number of different security methods—some which work and some which can actually do more harm than good.
In the webinar titled, “Automating Security Operations,” Cornell explored a few mistakes that organizations generally make concerning their methods for overcoming these challenges. These include:
1. Focusing on Alert Prioritization, Instead of 100%
Many companies rely on a prioritization method in order to identify which alarms they should be working on and in what order. The problem with this approach, however, is that considering the massive volume of alarms they are receiving, organizations can only manually handle so much. This leaves a number of alarms unanswered. Besides being a general malpractice, as unmanaged events are being left unattended in the network environment, this can pose audit risks and lead to a number of unintended consequences for organizations.
As Cornell explained in his presentation, by the time an organization finally gets to its low-priority alerts, it will have experienced an extremely long dwell time. In other words, the time between when the suspicious network activity was detected to the time of response will have gone on for far too long. This reduces the organization’s ability to contain the threat at the earliest level.
“In order to support the number of alerts that we’re seeing and to increase the capacity of our teams to respond to alarms, we’re looking at ways to amplify, optimize and streamline the way that organizations are responding to all security events and activities,” Cornell said. Today, alert prioritization simply doesn’t cut it.
2. Ignoring Half of the Security Operations Lifecycle — Incident Response
Organizations today use a number of modern day detection technologies in order to identify to security alarms, activities and tasks—from User Behavior Analytics, to Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and Threat Intelligence.
Many organizations have invested heavily in such detection tools over the last couple of decades; however, there seems to be a paradigm shift occurring now in which organizations are realizing that it’s the backend of the lifecycle—incident response—that need to be matured. For organizations that ignore or fail to realize this need to sophisticate backend security operations, the consequences will likely be heavy.
3. Relying on Antiquated and/or Manual Response Tools and Mechanisms
It’s not uncommon to see organizations still using outdated response tools like notepad documents and spreadsheets or old ticketing systems to resolve threats, Cornell said. Or, some organizations still leverage manually command line actions for every alert.
These tools and mechanisms are still in place for these organizations simply because this is what their front line staff is conditioned to know and do. Research has shown that on average organizations deal with upwards of 10,000 security events per day, which could equate to an impossible 333 hours of work per day—it’s clear that manual/archaic processes are unrealistic and will do more harm than good.
At the same time, the number of people who can handle security alerts and tasks in the way they actually need to be is small, and it can be very expensive for organizations to hire such trained individuals, said Cornell.As one can see, this is a massive struggle for organizations today.
Want to learn more about security operations best practices or an effective alternative to these potentially dangerous methods? Request Access to Swimlane’s recent webinar “Automating Security Operations”.
The post 3 Major Security Operations Mistakes appeared first on Swimlane.