If there’s one thing every enterprise security team has in common, it’s complexity. Addressing security incidents is a whole different ball game in a large organization, especially because they tend to spill across teams and involve systems and technologies beyond the security operations center’s (SOC) purview. Frequently an effective incident response requires the input of subject matter experts in other parts of the organization.
It’s an issue that’s compounded by the swift rise of sophisticated threats in a time when many teams face resource constraints. Ask any enterprise Incident Response leader and they’ll tell you about the mountain of work they face. Often the tools intended to help them – like improved threat detection solutions – can inadvertently add to their workload by creating unmanageable volumes of alerts and false positives. Eventually staff become desensitized to alerts and fail to respond as quickly as we’d like.
Automation is helpful but by itself is not enough. The real issue is this: too many orgs keep their incident response approach in a silo. They position their SOC as an island, focused on the task at hand. The problem is, incident response is a team sport. To mount a smart and effective defense, the right approach goes beyond individual technologies or the SOC to collaborate across the enterprise.
When the SOC works alone and apart from other operations teams, the speed of responding to an incident is almost guaranteed to go up (by hours or even days) while the security team goes through the motions of opening a ticket, sharing information via email and waiting for other teams to prioritize the information against their daily objectives. To reduce risk and accelerate investigation and incident remediation times, the SOC should leverage the most potent blend of information, assets, staff and technology in five ways.
Foster cross-team collaboration
Because security is a multidisciplinary function, trying to address security incidents also requires input and action from multiple non-security teams. It’s usually the security team that initiates an investigation as the result of detecting the incident or threat, but they’ll have to work with the IT, network, or applications infrastructure team in collecting information and taking action on the correct tools for investigation, containment and remediation. On the contrary, network operations and other teams oftentimes need help from the security team in reviewing and responding to their incidents.
The key here: developing integrated working relationships before the incident. If the teams understand each other’s workflows and use the same applications, they’re going to have tighter alignment and better visibility when it comes to addressing their incidents in a more timely fashion.
Appoint the SOC as the leader of security incident response
Intelligent orchestration is the key to enterprise incident response. You’ve probably faced this scenario: a malicious process or operation has been found and now multiple team are crowding into a war room, on a call or email chain, and it’s quickly turning into a messy situation. Everyone is jumping in with their experience and opinions to fix the problem, but it’s only creating chaos.
This is where the security team needs to take control and orchestrate all the activities. As we said above, incident response may be a team sport – but the SOC team should be the quarterback for security related incidents.