In light of recent events with retail giant Target, where massive security breaches have had a devastating impact on consumers and big brands alike, it’s becoming increasingly obvious that security incident response is a critical aspect of IT. The solution seems easy – have IT personnel become more vigilant about managing alerts so that such situations can be avoided at the get-go. Seems obvious, right? Not necessarily. In fact, it’s much more challenging than one may think.
The ultimate cause of the Target debacle was how they used their malware detection technology. The software did its job in successfully detecting the POS memory scrapping code. The problem was, Target’s IT group was operating on detection mode instead of prevention mode. In order to avoid the whole messy situation, personnel would have had to have taken manual action to address and remove the malware. Unfortunately, as we all now know, this did not happen and millions of people had their sensitive information stolen.
The question most people ask is, why on earth didn’t Target use their malware software the way it was designed to be used? Were they incompetent? Misguided? Asleep at the wheel?
The truth is, it’s not so straightforward. Because many of these malware technologies take a more specialized or limited approach, they often generate alerts that are inaccurate, non-critical or worse – false positives. Because of this, IT security professionals tend to view these alerts one of two ways. They either take the alert at face value and investigate it further, or they acknowledge the alert but do nothing.
If the security professional chooses the former, it’s not always as simple as conducting a quick investigation. These analyses can require a great deal of time, resources and expertise. Should they choose the latter approach, it’s likely because they’re afraid of the dreaded “false positive”. In this case, personnel will typically wait for additional alerts to further substantiate the problem before finally taking action.
While it may seem negligent to ever ignore an incoming alert (especially given the consequences that Target employees experienced for doing so), the results of reacting to a false positive can seem even worse – at least to IT personnel. Imagine for a moment the security team for a major eCommerce site responds to an alert by immediately blocking systems or shutting down network access completely. Not only does this disrupt normal business operations, but it could cost the company quite a bit of revenue. If the threat was actually a false positive, it’s the IT department that will bear the brunt of the blame. In other words, IT heads will roll.
So what’s the solution? Obviously, we cannot simply sit back and ignore security alerts, or even take a chance and wait to see what happens (just ask Target how that worked out). Yet, based on the previous scenario, we also cannot jump at every alert that comes in. There needs to be a more sophisticated solution that helps to better manage incoming incidents, weeding out false positives, and effectively notifying the appropriate personnel when immediate action should be taken.
The solution is incident response automation.
Automated incident response technology can provide greater monitoring of a company’s networks, users and IT assets. It can also recognize what behavior or patterns of behavior deviates from the “norm” so that critical incidents can be identified and addressed in the most timely and effective manner possible. In order to achieve best results, security professionals will also need to gain more experience with IT Process Automation so they can further fine-tune and manage these tools most effectively.
As cyber threats continue to evolve and become more sophisticated and complex, so will the requirements for incident management. There has simply never been a greater need. Don’t take the chance that your company will become the next Target.
Get an IT Process Automation solution in place today to protect your business, your customers and your future.