Given the number and sophistication of incoming cyber security attacks, it’s simply impossible for IT professionals to detect, analyze and address these threats manually. As a result, many organizations have modified and improved their cyber security incident response strategy to include security alerts and notifications. Unfortunately, this has led to a whole new set of problems. The volume of security alerts has grown from steady to a relentless onslaught. What’s the solution? Let’s take a look.
First, there is the challenge of workload to overcome. According to a recent article by SecurityWeek, one study revealed that more than two-thirds of IT security professionals admitted that they are finding it more and more difficult to handle IR, due in large part to their increasing workload (including other IT functions) as well as the use of multiple technologies. Additionally, they also cited the rising volume of incoming security alerts and the subsequent difficulties knowing which alerts should be prioritized. In other words, the work is increasing beyond what human employees are capable of handling.
Perhaps even more troublesome is the discovery that 74% of larger organizations and enterprise-level companies ignore incoming security alerts on a regular basis simply because there is not enough time or manpower to handle them all. Instead, these companies are operating on a highly risky tactic of only responding to those threats they deem to be most dangerous. The rest get placed on the back burner, or worse – ignored completely. As we learned from the Target debacle of a few years ago, this is no way to manage cyber security incident response.
And if you think the companies in question are few and far between, think again. The same survey uncovered even more alarming data including the fact that over 30% of respondents admit to ignoring at least half of all incoming security alerts. Yet somehow 80% of C-suite executives surveyed say they plan to increase IR spending over the next several years. Unfortunately, more money won’t solve anything unless it involves an intense overhaul of the entire incident response process.
So, how can organizations resolve these serious issues? Especially as the number and complexity of new alerts continue to increase? A recent piece in Network World indicated what we’ve been saying all along – that for many companies, the biggest problem lies in the reliance on too many manual processes. For instance, when IT personnel are tasked with manually managing security incidents, they simply cannot keep up with the volume and severity of attacks. In fact, 93% of firms polled admit that their cyber security incident response strategy could be vastly improved if manual processes were reduced.
Further exacerbating an already significant and costly problem is the time it takes to respond to, address and ultimately resolve a security issue. According to research performed by Verizon, in 60% of attacks that were reported, it took mere minutes for the criminals behind the attack to successfully compromise networks. Clearly existing detection and response time are no match for these sophisticated hackers.
The good news is there has been a marked shift in the IT industry that leans away from manual processes and toward a more effective combination that involves automation and orchestration. By automating some or all of the cyber security incident response process, the risks associated with missed, ignored or un-prioritized threats is eliminated. Low-level alerts can be evaluated and resolved without the need for any human intervention, while those that are more complex and dangerous can be appropriately prioritized and the system can notify IT that there is an issue that needs prompt attention. This results in a much swifter and more effective response, which limits downtime and mitigates damages.
In addition to the tremendous savings of time and resources, this approach can also provide IT teams with the critical data they need to develop best practices that include actionable solutions and improved response strategies for enhanced security in the future.