A fire department in a large city certainly has a difficult job but its mission is fairly straightforward. When a fire is detected, the fire department dispatches an appropriately sized staff to assess, contain, and put out the fire, clean up, investigate what happened, and prepare themselves for the next blaze.
Yup, a pretty simple process when a manageable number of fires are burning but what would happen if there were hundreds or thousands of simultaneous infernos? My guess is that a senior fire chief (and perhaps other participants from local government and law enforcement) would have to make decisions on which blazes to resource and which to ignore. These decisions would certainly be based upon information analysis and best practices but there is still some risk that the disregarded fires would end up being far worse than expected, turn into disasters, and call into question the judgement of all involved.
This example is a useful analogue for incident response at large organizations. On any given day, enterprises face a cacophony of security alerts that need further investigation but they tend to lack the skills and resources to look into each one.
Incident Response Research
Recent ESG research illustrates the scope of this problem: 42% of cybersecurity professionals working at enterprise organizations (i.e., more than 1,000 employees) claim that they ignore a “significant number of security alerts” because they can’t keep up with the volume, while another 32% say that they ignore “a marginal number of security alerts” for the same reason.
Just how many alerts are we talking about? Well nearly one-third (31%) of organizations forced to ignore security alerts claim they ignore 50% or more security alerts because they can’t keep up with the overall volume. Yikes!
Like the firefighting scenario described above, human beings must reach decisions on which alerts to pursue and investigate and which to ignore. Oh and even those alerts that are deemed worth looking into must be prioritized based on objective data, an escalation process, and the instincts of the IR team. Sometimes they get it right and sometimes they don’t. The 2013 data breach at Target is an example of where IR professionals ignored several security alerts, rolled the dice, and lost.
Incident Response Suggestions
What can be done to improve this situation? Well we can’t hire our way out of the situation due to the global cybersecurity skills shortage. Given this, allow me to provide a few suggestions:
- Make sure your organizations have a formal and documented IR plan. This NIST Computer Security Incident Response Guide can provide a good example of best practices.
- Ensure that cybersecurity and IT staff have the proper training for IR. The SANS institute offers good incident response training courses for example.
- Find and fix the process bottlenecks. Assess every task associated with IR and figure out where things slow down. Is it data collection? Analysis? Decision making? The handoff from security to IT? Fixing these issues will likely span beyond the cybersecurity team to IT and business management so get CIOs, HR heads, legal, and the CEO involved.
- Investigate the IR capabilities of your SIEM platform. Several SIEMs including IBM QRadar (i.e., Resilient Systems), LogRhythm, and Splunk offer functionality for IR. This can help streamline processes as these capabilities are tightly integrated with SIEM features for incident data gathering and analysis.
- Evaluate incident response platforms for IR automation and orchestration. ISVs like Hexadite, Phantom, and ServiceNow offer products and services to help automate and orchestrate IR. Automation and orchestration can be applied in several areas:
- To accelerate data collection for investigations.
- To orchestrate IR workflow, especially between security and IT operations personnel.
- To automate remediation actions like launching vulnerability scans or generating a rule for blocking suspicious IP addresses, URLs, and domains.
- Follow the progress with machine learning algorithms. While immature today, analytics tools based upon structured and unstructured machine learning hold great potential to filter through security alert noise for root cause analysis. Large organizations should keep their eyes on developments in this area.
- Get cyber insurance. Transfer some of the risk of making mistakes through cyber insurance policies.
- Outsource the whole enchilada. If you can’t keep up, don’t fake it. Find a third-party like Cylance, Crowdstrike, FireEye, RSA, SecureWorks, or Symantec who can.
The goals here: Increase the number of alerts for investigation, improve decision making and prioritization, increase IR process efficiency, and decrease risk. Simple objectives? Yes, but difficult tasks. Nevertheless, IR is a mission-critical activity, thus IR improvement should be a priority for all CISOs.