If there’s one thing every enterprise security team has in common, it’s complexity. Addressing security incidents is a whole different ball game in a large organization, especially because they tend to spill across teams and involve systems and technologies beyond the security operations center’s (SOC) purview. Frequently an effective incident response requires the input of subject matter experts in other parts of the organization.
It’s an issue that’s compounded by the swift rise of sophisticated threats in a time when many teams face resource constraints. Ask any enterprise Incident Response leader and they’ll tell you about the mountain of work they face. Often the tools intended to help them – like improved threat detection solutions – can inadvertently add to their workload by creating unmanageable volumes of alerts and false positives. Eventually staff become desensitized to alerts and fail to respond as quickly as we’d like.
Automation is helpful but by itself is not enough. The real issue is this: too many orgs keep their incident response approach in a silo. They position their SOC as an island, focused on the task at hand. The problem is, incident response is a team sport. To mount a smart and effective defense, the right approach goes beyond individual technologies or the SOC to collaborate across the enterprise.
When the SOC works alone and apart from other operations teams, the speed of responding to an incident is almost guaranteed to go up (by hours or even days) while the security team goes through the motions of opening a ticket, sharing information via email and waiting for other teams to prioritize the information against their daily objectives. To reduce risk and accelerate investigation and incident remediation times, the SOC should leverage the most potent blend of information, assets, staff and technology in five ways.
Foster cross-team collaboration
Because security is a multidisciplinary function, trying to address security incidents also requires input and action from multiple non-security teams. It’s usually the security team that initiates an investigation as the result of detecting the incident or threat, but they’ll have to work with the IT, network, or applications infrastructure team in collecting information and taking action on the correct tools for investigation, containment and remediation. On the contrary, network operations and other teams oftentimes need help from the security team in reviewing and responding to their incidents.
The key here: developing integrated working relationships before the incident. If the teams understand each other’s workflows and use the same applications, they’re going to have tighter alignment and better visibility when it comes to addressing their incidents in a more timely fashion.
Appoint the SOC as the leader of security incident response
Intelligent orchestration is the key to enterprise incident response. You’ve probably faced this scenario: a malicious process or operation has been found and now multiple team are crowding into a war room, on a call or email chain, and it’s quickly turning into a messy situation. Everyone is jumping in with their experience and opinions to fix the problem, but it’s only creating chaos.
This is where the security team needs to take control and orchestrate all the activities. As we said above, incident response may be a team sport – but the SOC team should be the quarterback for security related incidents.
Automate your response plan in a way that makes sense
Automation can be the secret sauce to swift response, but many teams overcomplicate it. Others feel overwhelmed by the thought of trying to automate every activity in their incident response workflow. So here are some general guidelines.
As you get started, remember to walk before you run. Be pragmatic and identify the places where automation can save your team time – the repetitive and time consuming tasks. And know that you don’t have to automate everything at once; you can take a bite-size approach and automate the tasks that make sense for you right now. Also, as we pointed out earlier, many teams are exhausted by trying to resolve the ever-rising din of false alarms. This will only increase, given the rise of new systems and IoT devices, so implement automation that can separate the useful and actionable alarms from the false threats that distract your team.
“Memorialize” the entire security incident response workflow
We’ve talked a lot about involving other teams across the enterprise for robust incident response. One critical element that ties it all together: what I call “memorializing” the process and capturing the “tribal knowledge” that exists across the organization. It’s very easy for disconnected or fragmented processes to settle in, which only hurts the SOC when the next incident occurs. But when you capture and utilize all the SME expertise and cross-team knowledge and actions in a given incident, you can more quickly address incidents and not have to rely on an SME who might have left the company or be on vacation at the time.
Start by prioritizing documentation. You want to capture critical incident information, document the right SMEs and processes, detail the most effective actions, and wrap it all up in a prescriptive playbook or automation that strengthens your future capabilities. You’ll reduce your vulnerabilities, spend less time researching and remediate more quickly and effectively knowing that you’re doing what the experts would do.
Empower operations staff to do more
This is something that gets overlooked in most organizations. But there are multiple benefits to building all SOC members’ skill sets and assigning them meaningful tasks. The most obvious is that your front-line and entry level analysts can leverage the automation and orchestration tools to solve some of the simpler problems that typically would have required more experienced security engineers. This step frees your more experienced (and well paid) security staff to focus on tougher, more complex incidents or on activities such as threat hunting.
Another is job satisfaction. The reality is that people want to solve real problems. Give your entry-level staff the opportunity to be real contributors and you’ll motivate and retain an engaged workforce. You will have also positioned them for deeper training and involvement in the future. Also this step frees up the mundane and repetitive tasks from your more experienced security experts so they can do what they enjoy doing, as well
Faster and stronger together
Enterprise security will always face complex challenges. But by taking a holistic approach to incident resolution, SOC leaders can leverage the right personnel and speed major incident resolution. This kind of collaboration across teams can not only increase efficiencies but optimize their collective incident response today and tomorrow.