How do you shoot down a missile before it hits its target? That’s the problem facing today’s incident response teams. As cyberattacks increase in volume and velocity, the security operations centre (SOC) handling incident response is the nexus for this challenge.
The SOC must find new efficiencies in its bid to hold back the rising tide of cybersecurity threats. It can begin by rethinking its cultural makeup and its technical approach, revealing opportunities to increase its effectiveness.
The growing importance of incident response
It’s there in black and white: a well-honed incident response (IR) operation can deliver an impressive return on investment. The 2020 Ponemon Institute Cost of a Data Breach Report reveals that data breaches cost $3.29 million for companies with an IR team that regularly tests its IR plan. That’s $2 million less than companies without an IR team.
In many data breach incidents, the cost is more than financial. No organisation exists in a vacuum. We’re all part of a broader value chain, so an incident in one place can cause adverse effects a long way away. Some of those effects can be painfully personal.
Take the cyber theft at Vastaamo, Finland’s largest private therapy centre, in which attackers not only stole thousands of patients’ sensitive records, but blackmailed those people directly, threatening to release their details. That incident, in which vulnerable people were placed at direct risk, is a clear example of a data breach’s real human cost.
Time is a critical factor. So how do we save it?
With the stakes so high, detecting and handling cyber threats properly is critical. How can SOCs measure their success and improve it?
The IR process incorporates several stages: minimising risk, identifying the incident, containment, response, clean up and recovery. Time is a critical factor in most of these stages. Agile, efficient response is critical, whether you’re detecting an attack or neutralising it.
As attackers become faster and more pernicious, SOCs are having trouble responding at speed. One factor holding them back is that they often don’t use tools cohesively.
When facing shifting threats from attackers using a wide variety of techniques, many SOCs look for technologies to help them cope. A common response is to install a panoply of tools. SOCs don’t always do that strategically. People have a tendency, when dealing with unknowns, to over-prepare with tools rather than ensuring that they can adapt.
When teams install security tools on a piecemeal basis, they can end up with a disjoined ‘frankenstack’ of security tools that don’t interoperate well. This can leave the SOC without a unified workflow. They lack automated remediation capabilities, which leaves SOCs relying too heavily on human interaction. People must fill in the gaps left by the technology, but they cannot do so at speed. Human bottlenecks render the organisation vulnerable.
Poor interoperability leaves critical security information languishing in different silos. Analysts end up flying blind. The data they do have hasn’t been properly filtered by a coordinated tool chain, increasing the signal-to-noise ratio and making attacks harder to spot. SOCs end up with too many false positives, making it hard to sift through data to find the alerts that matter. They also lack the contextual data that could give them a more complete picture of an emerging threat, understanding its shape, significance and scope.
These weaknesses leave SOCs with a disjointed IR process that is difficult to control and understand. Operatives end up with too many options at each step in the process, and they lack the collaboration platform they need for a fast response.
No wonder, then, that the Ponemon report found security system complexity to be the single most expensive factor when assessing the cost of a data breach. It increased the cost of a data breach by $292,000 on average.
The way forward
Your SOC has the power to overcome these challenges. At the top of your list should be an assessment of your current IR process. Begin that assessment with a focus on outcomes. Everything should be geared to achieving pre-set goals.
Those goals should be measurable by tying them to specific metrics. You must evaluate the metrics that you’re using to measure your success. Look for areas that you’re not measuring well and that could be leaving you vulnerable to poor performance. Can you decompose them into factors and identify what would influence them positively?
At early stages in the IR chain, those metrics should be geared to prevention. How are you assessing the level of risk to various assets and its potential effect on the organisation? Are you taking a mathematical approach to triaging risk based on the resources available?
At later stages in the process, your metrics should address the time taken to identify, contain and neutralise incidents, along with the time taken to recover.
With appropriate measurement techniques at your disposal, you can work on building a seamless end-to-end IR process with clear procedures and roles, so that no threat falls through the cracks.
Integrate your tool set to support this process. An idea tool chain will support harmonised data flows that reduce or eliminate the number of hand-offs and tool or platform changes. Operatives will be able to handle tasks like changing firewall rules across the board without having to ask each platform owner individually for assistance. They will have full visibility into the history and scope of a threat. They will also enable analysts to see everything inside one familiar environment, saving them time and brain power by eliminating context switching. The result? Processes that took days could be executed in minutes.
An integrated tool chain will provide a solid platform for automation. Defining automated workflows to support your IR process will cut down on human interaction and reduce latency at each step. This will have a positive impact on those time-based metrics while leaving human analysts to focus on nuanced decisions.
This optimisation process carries profound ramifications for your SOC. Done well, it will enable you to convert a reactive approach to IR into a forward-looking one, driven by clear objectives such as early detection and fast containment rather than fear of the unknown. We have spent too long relying purely on prior knowledge, which stops us detecting and defending against new attacks. A new approach will leave you more attuned to emerging threats and more able to jump on them when they surface.
by Jan Tietze, Director of Security Strategy EMEA, SentinelOne