In this ESG Video Blog, ESG's Jon Oltsik discusses some of ESG's recent findings in the area of Incident Response Automation and Orchestration.
Announcer: The following is an ESG Video Blog.
Jon: When you think about incident response processes at enterprise organizations, it's fairly simple. Security tools generate alerts when they detect an anomalous or suspicious event. IR professionals assess these alerts and then decide whether to investigate them further. Some are classified as low priority and ignored while others are prioritized and investigated. When investigations uncover activities that indicate a true cyber attack in progress, security and IT teams develop a remediation plan to intervene and stop attacks from progressing.
It seems pretty straightforward until you understand more about today's cyber security environment. Recent ESG research shows that 28% of enterprise organizations generate between 5,000 and 10,000 security alerts per month while 21% generate between 10,000 and 15,000 security alerts each month. Regardless of an organization's cyber security staff and skills, it's simply impossible to look into all of these alerts. In fact, 42% of cyber security professionals working at enterprise organizations claim that they ignore a significant number of security alerts because they can't keep up with the volume while another 32% said that they ignore a marginal number of security alerts for the same reason.
In some cases, it's easy to ignore an alert and classify it as a low priority, but that's not always true. For example, what do you do if an alert is classified with a medium or moderate severity level? This alert may be nothing, or it could indicate a cyber attack in progress. When security teams have dozens of high priority alerts to investigate, these medium level alerts are often ignored. In some instances, however, incident response teams end up regretting these decisions. In the 2013 Target breach, the security team actually received 2 separate alerts of suspicious activity but chose to ignore these alerts. The rest, as they say, is history.
What can be done to keep up with the torrid pace of security alerts? As ESG research illustrates, 57% of organizations have adopted technologies to promote incident response automation and orchestration while another 36% are currently engaged in an IR automation and orchestration project or plan to initiate an IR automation and orchestration project in the next 24 months. Typically, IR automation and orchestration is applied in several areas: to accelerate data collection for investigations, to orchestrate IR workflow especially between security and IT operations personnel, to automate remediation actions like launching vulnerability scans or generating a rule for blocking suspicious IP addresses, URLs or domains. The goals here: increase the number of alerts for investigation, improve decision making and prioritization, increase IR process efficiency and decrease risk. Simple objectives, yes, but really difficult task. Nevertheless, IR is a mission critical activity, thus IR improvement should be a priority for all CISOs.