Light Dark
January 9, 2019 By Dan Carlson 5 min read
Incident Response
Intelligence & Analytics
Artificial Intelligence
CISO

It’s 5:48 a.m. — only 48 minutes into your 12-hour shift in the security operations center (SOC), and you’ve already investigated three threats. You were prepared for a long shift, but since an analyst on the night crew just quit, now you’re covering her shift, too. How is anyone supposed to stay vigilant in the thick of a monotonous 24-hour slog in the SOC?

When you first started, you tried talking to your boss about how incident response orchestration software and other tools might work more efficiently. Today, you’re just trying to survive. It’s hard to not feel completely numb when you’re buried in hundreds of alerts you can’t possibly review.

When the tools in the SOC don’t integrate seamlessly into a unified security immune system of solutions, analysts can’t make the most of their time. Given the widening cybersecurity skills gap, the rising cost of a data breach and the blinding speed at which alerts pile up in security information and event management (SIEM) logs, security leaders must empower their analysts to maximize their efficiency.

The first step is to give them the tools they need to accurate prioritize all those alerts — but what does intelligent incident response look like in practice, and how can orchestration and automation help tranform a reactive response system into a proactive security powerhouse? Let’s zoom in on what’s holding SOCs back and how an integrated ecosystem of tools can help analysts overcome these challenges before, during and after an attack.

Learn to orchestrate incident response

Reactive, Manual Processes in the Understaffed SOC

The average security analyst investigates 20–25 incidents each day. It takes the average analyst 13–18 minutes to compare indicators of compromise (IoC) to logs, threat intelligence feeds and external intelligence, and manual research can yield false positive rates of 70 percent or higher.

To make matters worse, as security analysts struggle against an increased volume of complex alerts, the SOC is facing a talent crisis: Sixty-six percent of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a breach globally is $3.86 million, a 6.4 percent increase from 2017. As threat actors become more effective at evading and targeting the enterprise, the majority of analysts can’t keep up. Twenty-seven percent of SOCs receive more than 1 million alerts each day, and the most common response to alert fatigue is to modify policies for fewer alerts.

Orchestration and automation can free overwhelmed analysts in the SOC and significantly improve cyber resiliency throughout the enterprise. In act, research has shown that SOC orchestration can triple incident response volume and reduce time to response significantly.

“While data breach costs have been rising steadily, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” said Dr. Larry Ponemon.

Automation reduces the average cost of a data breach by $1.55 million. To build a cyber resilient enterprise, security leaders need intelligent solutions for orchestration, automation, machine learning and artificial intelligence (AI).

What Are the Attributes of Intelligent Incident Response?

Enterprises can save an average of $1 million by containing a data breach in under 30 days, according to the Ponemon study. However, the average time to containment is 69 days. Security leaders should consider the risks of failing to adopt solutions to for intelligent and proactive response, including costlier data breaches caused by reactive response and longer containment times.

The SOC is facing a higher volume of more sophisticated threats, and there is a massive shortage of cybersecurity talent to boot. The right approach to intelligent response, therefore, encompasses solutions for the following:

  1. Orchestration and automation — An integrated, streamlined ecosystem can enable organizations to create dynamic incident response (IR) plans and automate remediation.
  2. Human and artificial intelligence — Operationalize human intelligence, leverage advanced threat intelligence and collaborate with experts.
  3. Case management — Establish systems for continual IR plan improvement while developing a clear understanding of internal workloads and skills.

Let’s take a closer look at how intelligence incident response orchestration works in practice and how it can help security leaders free up their overworked analysts for more pressing tasks.

3 Use Cases for Intelligent Incident Response Orchestration

A comprehensive ecosystem of security solutions can enable the enterprise to prepare for sophisticated cyberthreats, respond proactively to risks and apply lessons learned to create future safeguards. Intelligent orchestration creates efficiency and accuracy before an attack, during an incident and after remediation.

1. Before an Attack

Half of respondents to a recent survey believe it’s somewhat or highly likely that their organization will have to respond to a major incident in the next year, while 9 percent have “no doubt.” The right time to address SOC challenges, such as the increased volume of highly targeted threats and too many single-purpose solutions, is before an attack occurs.

The first step to build a cyber resilient enterprise involves adopting an advanced incident response platform to create automated, intelligent workflows that encompass people, processes and technology. This solution can be enhanced with a security information and event management (SIEM) solution to deliver comprehensive incident analytics and visibility into emerging threats.

Enlisting security operations consultants can help organizations supplement their internal talent. Collaborating with external IR experts, meanwhile, can help companies implement effective training and strategic preparation.

2. During an Attack

Minutes count when the enterprise is facing a sophisticated, targeted threat. The incident response platform (IRP) can act as a centralized solution for comprehensive response remediation. When coupled with cognitive intelligence, organizations can rapidly investigate threats without overwhelming their SOC staff.

When a critical incident is detected, the SOC can call in on-demand IR experts for assistance managing and remediating the incident. The IRP generates a response playbook, which updates dynamically as threat intelligence solutions provide analysis of the incident and endpoint analytics solutions deliver details of on-site infection and automated reporting to the legal team.

Using solutions for threat intelligence, forensics and other solutions, IR analysts can research the tactics used by attackers to pinpoint the source of the incident. By following instructions from the playbook, SOC analysts can coordinate with IT on remediation actions, such as global password resets and segregation of privileged accounts.

3. After an Attack

There are few genuinely random cybersecurity attacks. In the last 18 months, 56 percent of organizations that fell victim to a significant attack were targeted again in the same period.

When an attack is fully remediated, security analysts can prepare efficient reporting on the incident using data from security intelligence solutions, forensic investigation tools and insights from the response researchers. This research can be presented directly to the executive leadership team to communicate the status of the incident, actions taken and lessons learned.

By collaborating with third-party response experts and security service consultants, the SOC team can work to refine formal incident response policies and enhance security controls. As SOC operations resume, analysts can improve readiness with a customized response drill training.

Why Incident Response Orchestration Matters

By protecting the enterprise with solutions to automate and orchestrate incident response, security leaders can introduce the benefit of cyber resiliency to the organization. According to Forrester, “Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, [make] security operations faster, less error-prone, and more efficient.” Adding the right solutions for orchestration, cognitive intelligence, and case management can ease the burden on the SOC while reducing cybersecurity risks.

Six steps to proactive and resilient incident response

 |  |  |  |  |  |  |  |  | 
Dan Carlson
Content Marketing Manager, IBM Resilient

More from Incident Response
March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

November 29, 2023

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature