5 obstacles to faster detection and response

We talk about the key issues faced by infosec professionals in trying to keep organisations secure. These include alarm fatigue, swivel chair analysis, forensic data silos, fragmented workflow and lack of automation

By Aled Herbert

Fri 4 Aug 2017 @ 15:37

The security landscape is evolving constantly and rapidly. In the past, defences were focused on the perimeter, on stopping attackers getting in. Now the threat is inside too. Recent research indicates that 79 per cent of networks were breached in 2016, up from 62 per cent just three years ago.

Furthermore, the number and kinds of threat actors are increasing – from lone wolves, the criminal gangs, ideological groups and nation states. The kinds of threats are also increasing in volume, type and sophistication.

Gartner has predicted that 2017 will be the year that detect and response becomes the main security priority for organisations. But as security teams commit to detection and response systems we look at five of the most common obstacles to effective threat management that need to be overcome.

Alarm fatigue

Alarm fatigue is common across many industries, including healthcare and construction, and cybersecurity teams know all about it too. The term refers to the condition where alarms are so frequent and commonplace that they are ignored. The result is that a genuine emergency is missed because so many other alarms 'cried wolf'.

With more and more threat actors launching more and more attacks, and hundreds or even thousands of sensors generating events, alarms can leave security teams struggling to identify real threats. This can result in a damaging cyber incidents or data breaches. According to a survey by IDC, 37 per cent of cybersecurity professionals reported facing 10,000 alerts per month, of which 52 per cent are false positives.

Swivel chair analysis

This represents as much of a user experience problem as a technological one. Swivel chair analysis refers to the absence of a single trusted interface for threat management and risk-based monitoring. Security analysts are often forced to use a variety of different products and user interfaces to investigate and monitor potential threats. By having to use a number of different technology UIs security teams are having to manually link data to events, moving from one screen to another. Rather than assessing threats, they first need to assemble an elaborate jigsaw puzzle.

Forensic data silos

An effective detection and response strategy relies heavily on data from a variety of sources. Principal among these data sources are security event and alarm data, log and machine data and forensic sensor data. However, too often security teams lack a consolidated repository of the data and are forced to work with a variety of different sources and formats. This additional requirement to piece data together from different systems increases the time it takes to investigate.

Fragmented workflow

Security teams don’t always have formal processes or tools that ensure high priority threats are tracked to resolution. Email and spreadsheets become inefficient substitutes for appropriate tools. Just as with swivel chair analysis, teams need the right tools to respond to threats. Instead they struggle with UIs, diverse software and fragmented processes. Threats can slip through when early indicators that were caught, become forgotten about because they weren’t tracked to full resolution.

Lack of automation

The sheer number of threats is overwhelming security teams who have no automation solution in place. Organisations haven’t found ways to effectively automate routine incident response actions, requiring teams to perform all activities manually. This means few investigations can be conducted and a single incident could become all-consuming, leaving other threats not getting the attention they need. Recent research found that the average time for first-time respondents to become engaged in an incident was 27 minutes. Automated solutions can reduce this response time to 5 minutes or less – this represented $190,000 in savings per major IT incident, according to security communications firm Everidge.