By now, the entire world knows how utterly disastrous security breaches can be for large corporations (just as we discussed about retail giant Target). Upon further inspection, it became clear that the reason for this most recent blunder was not so much that the store’s IT team deliberately looked the other way or dropped the ball on their duties. They, like so many other IT security professionals, were simply so overwhelmed with incoming alerts that they made a poor choice. So how can other corporations learn from Target’s mistake? Simple. Automate Security Incident Response.
A recent study conducted by threat detection solution provider Damballa, Inc. revealed that on any given day, a typical company can field up to 10,000 incoming security alerts. Some of the bigger organizations can see several times that many notifications – upwards of 150,000 per day. When faced with numbers that big, it’s easy to understand how overwhelmed IT groups can become. Even with a larger team, fielding that many notifications effectively is simply not possible.
Survey respondents gave resounding approval to the idea of using automation to help ease the burden and improve security incident response ability and turnaround. In fact, 100% of security professionals polled agreed that “automating manual processes is key to meeting future security challenges.” Enter the increasing role of security incident and event management products (SIEM), which captures the important incoming data to be reviewed and investigated by security personnel. While this technology has certainly come a long way over the past decade or so, making it more flexible and scalable, it is still not proving to be enough to really combat the “big picture” problem.
One of the biggest issues with relying on security incident response and event management products alone is the lingering problem of false positives, which can bog down the security team and increase the likelihood of a real incident slipping through the cracks. The real solution is to marry SIEM with automated security incident response software. Combining these two together creates a more comprehensive and airtight approach to managing the influx of incoming alerts while weeding out false positives to focus on only those incidents that truly warrant attention.
To get the most out of security incident response and event management products, integration with automation is essential. This will help to not only manage incoming alerts more effectively, but also streamline security incident response and investigation workflows after the fact. The result is an increased level of intelligence for security personnel, and a much safer IT environment for the entire organization. Doing this successfully can also dramatically improve operational efficiency. Instead of the average of 90 days it takes to manually discover a security breach and the subsequent 4+ months to resolve it, automated incident recovery can be reduced down to just one day. This could potentially save an organization an average of 8,633 man-days each year.
What would your company do with that many extra man-days?