Cyber Tech: 6 Steps to Achieving Active Response
CSOs are drowning in security alerts. The average enterprise generates nearly 2.7 billion actions from its security tools per month, according to a recent study from the Cloud Security Alliance (CSA). A tiny fraction of these are actual threats--less than one in a hundred. But this doesn’t diminish their negative impact on enterprise security. More than 31 percent of the CSA study respondents admitted they ignore alerts altogether because they think so many of the alerts are false positives.
Out-of-the-box tracking and ticketing products aren’t doing their job. While they are monitoring and alerting, they aren’t capable of resolving incidents. They lack the key functionalities necessary to fully streamline the data management process. In fact, more than 40 percent of respondents to the CSA study feel the alerts they receive lack actionable intelligence.
Incident management today requires several different security tools - upwards of 20 according to the CSA study. But more security tools generate more alerts and a more disparate view of enterprise security. Instead, executives should have a single platform for collecting data, identifying cyber-attacks and tracking the resolution. This is the concept of active response--not only identifying threats but being able to immediately respond to them as well.
Six Components are Critical to Active Response:
- Centralized Event Management - All event data should be in one place. This doesn’t just apply to the raw data, like logs and audit trails. Post processed event data should be included as well as it drives investigations.
- Analytics - Machine learning is the future in enterprise technology because it has the ability to take the mundane and repetitive tasks and automate them. This is a boon for cybersecurity professionals as these repetitive tasks currently take a lot of our time. But machine learning relies on us tracking our current human interactions with data and systems.
- Open APIs - Open source communities centralize and improve approaches and solutions within entire industries. The Linux community has transformed technology and makes it easy for developers and system administrators to navigate the operating system. Creating a community around active response would centralize the approach and solutions. And as an added benefit, security tools with open APIs improve incident management by providing greater access, innovation, efficiency and interoperability across the entire community.
- Dynamic Infrastructure - Dynamic infrastructure--virtualization, cloud, software-defined networking and even a migration to thin client computing--provides a flexibility that allows services to be turned up and down quickly and easily as needs change, as they often do in incident management. This flexibility can result in cost savings as enterprises aren’t required to continuously run their infrastructure. Dynamic infrastructure also provides an added layer of security, moving potential threats away from the network.
- The Human Element - While active response can be automated, technology can only do so much for event resolution. There are many solutions for collecting and analyzing data, as well as identifying and alerting of potential threats. But then what? At this stage a person is still required to step in and determine what the response should be and set that response into action. Only the combination of humans and technology can carry incident management all the way through to resolution.
- Complete Visibility - Not only do analysts benefit from having one central place to address security threats, this information is now critical to CXOs and board members. Executives outside of the security team need to be able to understand their security posture. They need one place where they can quickly and easily see what the threats are and how they are being resolved.
The headaches of managing security event information can be cured through active response--a centralized approach to not just identify cyber threats, but address them as well, and to see the whole process in one single and simple view. A unified platform should be able to receive, process and triage data, as well as provide accessibility so enterprises can effectively analyze all of their online activity while searching for suspicious behavior and cyber-attacks. This centralized data management can only be achieved on a cloud-based, open source framework that involves human analysts and provides visibility to the full leadership team.
Advanced cybersecurity requires an active response. Simply knowing that a threat exists is not enough. You must be able to respond. When an organization is facing “alert fatigue,” complacency sets in and security suffers. Without the ability to seamlessly assess, respond to and resolve the ever-growing number of alerts, the investment in cybersecurity technologies is wasted.
About the Author: Christopher Ensey, COO of Dunbar Security Solutions