Fast is Never Enough for Security Incident Response – It Needs to Get Smart

Fast is Never Enough for Security Incident Response – It Needs to Get Smart

security incident response FIIncident response isn’t always a matter of speed. It’s a matter of intelligence. Just like Agent 86, it needs to Get Smart!

Each user in a small business will be sent an average of nine malicious emails a month. Malicious attacks are out there, and it isn’t enough to send an alert every time one is detected. In fact, it’s not feasible for most organizations to have a speedy, effective incident response to every potentially malicious alert.

Instead, security incident response has to get more intelligent. Network monitoring solutions need to not only spot a potential indicator of compromise but be able to explain the how and why of an alert so that analysts can make informed decisions. At the same time, these solutions need to prioritize security threats – and to mitigate threats automatically when able. Plus security response has to be able to grow smarter over time.

According to CSO Magazine, effective incident response is the best cybersecurity strategy for improving ROI; the more effective your response, the better your organization’s bottom line. But developing this effective security response isn’t just about checking alerts and making sure that someone responds to each alert. It’s about ensuring that the alerts are sent appropriately – i.e. for truly high-risk incidents – and that your resources are correctly deployed.

Why is Modern Security Incident Response So Challenging?

The landscape of cybersecurity is changing. When it comes to modern incident response, cybersecurity specialists face some big challenges:

  • Networks are rapidly growing in complexity. More endpoints means more notices. Security professionals need to manage an entire system including all of the mobile devices and Internet of Things devices that are connected to them. Each additional endpoint can represent a vulnerability to the network.
  • Alerts don’t provide much real, actionable data. Security professionals may know that certain systems are showing abnormalities, but most security products don’t tell them what’s wrong or the severity of the issue. This makes it impossible for analysts to determine whether it’s worth looking into or not. Security analysts may need to hunt down every single alert, wasting their time and increasing the chances that they could miss the alert for the truly malicious attack.
  • Many alerts are false positives. Security solutions understandably err on the side of caution, issuing alerts when the security issue is unclear. Ultimately this can prompt analysts to suffer alert fatigue. When most alerts are false positives, most alerts will be treated as false positives. Eventually, many of these alerts are going to be ignored or delayed, and this makes it more likely that an important alert will be missed.
  • Each alert is treated as an independent issue, even when they are connected. Not only does this increase the volume of alerts – which again can lead to fatigue – but it also makes it harder for security professionals to identify the source of a problem. A single, large-scale attack may be treated as a multitude of network security threats, obfuscating the real issue and making it harder to remediate. As long as the core issue isn’t dealt with, the attack, and the associated alerts will continue to proliferate across the network.

The end result is that it is harder to spot a network breach or other security issue – and therefore remediate it – because there is such a large volume of activity and so much background noise. Small, isolated issues may be detected and remediated without the knowledge that it’s all part of a larger threat, and attacks can do substantially more damage before they are detected and stopped.

Security Incident Response Needs to Get Smart

As I mentioned above, it isn’t a matter of responding to incidents faster; it’s about responding to incidents smarter. Security analysts need a way of prioritizing alerts as well as automatically addressing simple security issues and dismissing alerts for activity that clearly is benign. Otherwise, there is simply no way to manage a large, modern network without a prohibitively huge security team.

Luckily, network traffic analytics is evolving and getting smarter, to meet this challenge. The latest network monitoring solutions use AI to organize and present security alerts better. New, artificially intelligent solutions can:

  • Give analysts better insight. Rather than simply sending generic alerts, the network security solution can analyze the threat and provide helpful meta-data. This tells them how serious the problem is and prepares the analyst for managing the issue.
  • Automatically prioritize issues. Network solutions can identify which issues present the highest risk and therefore must be dealt with first. Thus, analysts don’t need to constantly guess whether an alert is worth their time.
  • Reduce the number of false positives. Through artificial intelligence and machine learning, and by applying knowledge of malicious behavior, new security response products can distinguish between malicious and benign alerts far more easily. Cutting down on false positives likewise cuts down on the potential for fatigue, leading systems analysts to follow up on individual threats with greater effectiveness.
  • Resolve and remediate threats. Monitoring solutions need to be able to address network security threats automatically, thereby reducing the amount of work that human agents have to do. The more advanced the software is, the more of these threats it will be able to automatically resolve.
  • Connect multiple alerts into incidents. New AI-driven suites are also able to identify when multiple alerts are part of a larger, overall incident. This gives analysts the information they need to cut to the core of the threat, rather than having to investigate and remediate numerous smaller incidents. It also increases the likelihood of completely remediating a multi-faceted attack, instead of only addressing some of the affected systems, for example, leaving the attack in play.

Advanced Network Traffic Analysis (NTA) technology can provide the smarts that an effective security incident response process now requires – not just the speed at which incidents are resolved, but also the intelligence involved in the process. Through artificial intelligence, next-generation solutions can give analysts the information, insight, and context they need to prioritize their incident response and completely remediate attacks while automatically dealing with clear-cut alerts.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin