The CNN Factor Adds More Complexity to Security Operations
Security Teams Need the Ability to Collaborate and Coordinate to Make Better Use of the Talent and Data They Already Have
We all know that security teams are drowning in a sea of alerts, largely driven by a defense-in-depth strategy with layers of protection that aren’t integrated and create a massive amount of logs and events. If you need further evidence, Cisco’s 2018 Annual Cybersecurity Report (PDF) found that among organizations using 50+ vendors, 55 percent say orchestrating security alerts is very challenging and for those with 21-50 vendors, 43 percent are struggling. The result? On average, 44 percent of alerts are not investigated and of those investigated and deemed legitimate, nearly half (49 percent) go un-remediated!
Compound that reality with the “CNN Factor” – global cyberattacks that garner widespread interest and trigger calls from management – and you’ve got a situation that is quickly becoming untenable. It isn’t sufficient for security teams to prevent, detect and respond to attacks. Security teams also must be able to proactively investigate and understand what the latest, large-scale cyber campaign means to their organization.
Yet Cisco’s study finds, “One reason [alerts go un-remediated] appears to be the lack of headcount and trained personnel who can facilitate the demand to investigate all alerts.” So how can security teams handle the fallout from the headlines along with their daily list of “to-dos?” They need a force multiplier – the ability to collaborate and coordinate to make better use of the talent and data they already have. This will not only help them respond more effectively and efficiently to alerts, but also address the inevitable flurry of questions every time a large-scale attack happens and take action as needed.
Collaborate. It isn’t just security tools that are siloed, security teams typically operate in silos as well and that includes all the members of your threat intelligence program – threat intelligence analysts, security operations centers (SOCs) and incident handlers, to name a few. When one team member researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. But what if someone else in threat operations, conducting a separate investigation, could have benefitted from that work? Without the ability to collaborate as part of the workflow, key commonalities are missed so investigations take longer or hit a dead end.
What’s needed is a single, shared environment that fuses together threat data, evidence and users, so that all team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. This embeds collaboration into the investigation process. Even in global organizations, with security teams spread around the world, collaboration is possible.
Coordinate. Now that teams have collaboratively investigated an event, an alert or the latest threat in the news cycle, the next step is to take action. Best case, they’re reporting back to management that the organization is prepared to withstand an attack or are successfully responding to an incident. Otherwise, they need the ability to coordinate the right actions faster, so they can report that they’re taking steps to mitigate risk. The challenge here is that most threat operations or investigations are rife with chaos as teams act independently and inefficiently.
A single, shared environment where managers of all the security teams can see the analysis unfolding, allows them to coordinate tasks between teams and monitor timelines and results. Teams work faster and more effectively to mitigate risk. And when response activities take longer than a typical workday, coordinated efforts can continue. For example, actions taken by a team in New York can be picked-up seamlessly by the next team on duty in Sydney.
Making better use of the resources you already have by working from the same set of threat data and coordinating all your teams for collaborative investigation and response just makes sense. It helps security teams overcome a long-time challenge of alert overload, and it allows them to better respond to added pressures when threats make headline news and ripple through the executive suite.
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.