It’s impossible for information security professionals to manually detect all attempted attacks or address every new software vulnerability. As a result, companies have become increasingly dependent on security alerts and notifications to prioritize tasks and improve incident response (IR).
According to SecurityWeek, however, there’s a new problem: The sheer number of IT activities on corporate networks — and, in turn, the number of security alerts — has shifted from a steady flow to an onrushing avalanche. How do companies get out from under the weight of all these warnings?
Necessary Ignorance?
As reported by SecurityWeek, a Phantom/ESG study uncovered a number of worrisome statistics. First up? Over two-thirds of IT and security professionals said it has become increasingly difficult to handle IR in the past two years. Commonly cited problems include more overall IT activity, the use of additional technologies, more security alerts and, not surprisingly, difficultly knowing which alerts should take top priority.
More worrisome? That 74 percent of large enterprises regularly ignore some security alerts because there simply isn’t enough time or manpower to tackle every problem. Instead, companies operate on a triage system where only the most dangerous threats receive a quick response; others are put on the back burner.
It gets worse: Just over 30 percent of respondents said they ignore half of all security alerts. While 80 percent of C-suite executives have plans to pump up IR spending over the next few years, more of the same won’t solve the problem.
Defeating the Incident Response Deficit
So how do companies improve incident response when the number of new alerts and technologies show no signs of slowing? Network World noted that for many firms, part of the bottleneck comes from manual processes — for example, filling out paperwork, tracking down a particular employee or using multiple security management tools to achieve a single goal. In fact, 93 percent of organizations believe their IR efforts could be improved if the need for manual processes was reduced.
TechTarget, meanwhile, noted that slow IR creates a time deficit for security teams. According to recent Verizon research, in 60 percent of reported attacks, it took only a few minutes for cybercriminals to compromise networks, but defenders were unable to detect these breaches in the same time frame.
The result? There’s now a shift in the IR industry away from cumbersome manual processes to a combination of IT automation and orchestration. Ideally, this yields two big benefits: speedier response and better starting points. If low-level security alerts come in, for example, automated systems should be able to take appropriate action and then notify IT that the issue occurred and has been addressed, saving time and giving companies a way to reduce their time deficit.
In addition, the use of automation tools to collect and analyze high-priority attack data should give IT teams a solid, data-driven foundation they can use to build an actionable solution and then respond in force.
An avalanche of security alerts is driving down efficiency. Automation and orchestration, however, may relieve enough of the pressure to get security pros back on track.