Meeting stringent reporting obligations

Ben Todd at Dynatrace describes how new regulations are driving an urgent need for a fresh approach to security analytics 

 

Over the recent years, a spate of new regulations – NIS2, DORA, and a fresh SEC mandate – have introduced stringent guidelines, pushing security incident reporting to the top of the agenda for many organisations.

 

One of the most comprehensive of these regulations for EU-based organisations – DORA – will apply from 17th January 2025 and places an increased emphasis on continuous monitoring and data management to both mitigate the impact of vulnerabilities, and help organisations improve their reporting when incidents occur.  

 

Even with the recent extension of the initial incident reporting window from four to 24 hours for DORA compliance, organisations must be prepared to adopt a faster, more effective approach to identifying, classifying, and notifying authorities of material security incidents.

 

They are therefore looking to strengthen their security analytics processes, to enable their teams to investigate incidents and determine the root cause and impact of compromised systems more quickly.

 

Mature security analytics practices are also key to understanding risk exposure, identifying vulnerabilities before they can be exploited, and remaining compliant with tighter regulatory requirements.  

 

Gearing up for regulatory demands 

While the new range of regulations are not prescriptive in the specific reporting processes or tools organisations must adopt to manage their risk exposure, they provide minimum standards that must be met. However, at most organisations, there is a lack of baseline understanding of exposure risk. Many don’t even use specialised tools for security reporting.

 

Instead, they use spreadsheets to check against standards, manually logging information related to incidents and vulnerabilities in their aftermath. In addition to the significant workload this process creates, it also introduces uncertainty into the reporting process. Data is not automatically captured during these processes, which rely on individuals all accurately entering information every time an incident occurs. 

 

These manual reporting efforts exacerbate the already common issue of a lack of standardisation across large organisations. Different teams often use their own toolsets or processes to monitor individual environments, and there is rarely a single source of truth about company-wide security posture. This means it takes time for teams to pull the required data from different sources to compile security reports.

 

It is only through standardising the security analytics and reporting process that organisations can empower their teams to drive compliance with confidence and efficiency. 

 

Three ways to improve security reporting 

Given the stricter reporting requirements of the new regulations, many organisations will need to rethink their approach to security analytics. There are three areas where improvements to existing workflows can deliver significant value: 

 

1. Streamline data

Under DORA, organisations have 24 hours to report all major ICT-related incidents to the authorities. This becomes much easier if they converge all of their observability, security, and business events data into one, unified platform. By doing this, organisations can create a single source of truth to draw from for all reporting, which is crucial in time-sensitive scenarios, such as major incidents. 

 

Once converged into one source, it becomes easier to understand the context behind individual data streams. As a result, data can be used for more effective security analytics. Organisations can access more actionable insights that help them to iteratively improve their incident response capabilities.  

 

This process also enables organisations to turn down incident noise, by centralising alerts and leveraging runtime context to filter out false positives and duplicates. Through this, they can streamline large volumes of events to highlight and diagnose the root cause of incidents – reducing stress levels for security engineers and allowing them to focus on implementing fixes and reporting the details of incidents clearly and accurately. 

 

2. Automate threat response

Automation provides an effective route for reducing toil related to incident noise – while keeping security teams the same size. The ability to respond to events automatically can reduce teams’ workloads from managing hundreds or thousands of security events at a time, to focus on just a handful of high priority events. This significantly decreases the workload for security engineers, especially during major incidents. 

 

Automation can also act as a future proofing tool. Research has found that cloud-native technology stacks produce a vast amount of data that is beyond humans’ ability to manage. By automating compliance checks and reporting, organisations can reduce the need for extensive manual work. This makes vast datasets more manageable, and frees up valuable resources, allowing teams to focus on innovation and enhancing customer experiences.  

 

3. Implement new use cases for AI

Organisations across the technology sector are continuing to rapidly discover new uses for AI. When it comes to security analytics and reporting, AI tools bring significant benefits, identifying incidents in real time and rapidly pinpointing the precise cause and impact.

 

AI can also be used to better identify critical exposures, and then effectively prioritise their resolution. This frees security teams from a war room-focused, responsive mentality, and enables them to drive more proactive, secure-by-design practices across their organisation.  

 

AI tools also allow teams to more effectively manage incident post-mortems and are a useful aid in writing reports and gathering information. These have previously been time-consuming processes, making them difficult to complete effectively in compliance with new regulations. 

 

To compliance and beyond 

With a number of fresh regulations significantly ramping up reporting obligations, organisations must ensure they can empower their teams with accurate, timely insights. This is not just a question of remaining compliant, but also strengthening the organisation’s security posture.  

 

By embracing a more intelligent and automated approach to security analytics, organisations can remove the burden of incident reporting and compliance from their teams. As such, they are free to focus on driving faster, more secure innovation, and bringing greater value to their organisation.  

 

---

 

Ben Todd is RVP Security EMEA at Dynatrace

 

Main image courtesy of iStockPhoto.com and olm26250