Making Better Security Decisions…Faster!POSTED BY STEVE RIVERS
Over the past twelve months enterprises continue to face further onslaught of security data from disparate systems, platforms and applications concerning the state of the network, potential threats and suspicious behaviour. This continues to challenge every Security Operations Centre (SOC) and Incident Response (IR) team as it looks to address impacts to security operations, vulnerability management and incident response with better and faster decision making.
To do this, many organisations are bringing in more data feeds — both threat and vulnerability — and investing in analytic behavioural detection tools. Unfortunately, this is not driving improved decision making. Instead, it is burying staff under data. The end-result is declining decision-making capability due to alert fatigue.
To combat this, organisations should follow five simple steps to enable better and faster decision making.
Step One: Make Prioritisation the First Priority
Separating the probable from the possible with context enables analysts to ascertain one high priority alert from another, empowering them to prioritise. Prioritisation is critical and to underscore this point, the National Institute of Standards and Technology (NIST) states in its Computer Security Incident Handling Guide, “prioritising the handling of the incident is perhaps the most critical decision point in the incident handling process.” Prioritisation applies to not just incident response, but all critical alerts. The ability to prioritise gives the analysts the breathing room necessary to focus on what matters, addressing the highest priority alerts first.
Step Two : Gain Context
Alert triage reduces alert fatigue by facilitating quick differentiation of one high priority alert from another. The best method to achieve this differentiation is by incorporating contextual information. Having the right context empowers analysts to separate alerts carrying immediate risk from those that carry high risk, but they can address later.
One of the best means to gain context is through aggregating and authenticating internal security indicators (indicators of compromise and event data) with external threat intelligence. Unfortunately, most organisations incorporate threat intelligence only after they classify an event as suspect. We see this as a missed opportunity because threat intelligence provides valuable context long before an event is considered suspect.
The right context helps the SOC and IR teams separate the possible from the probable. Otherwise, everything is possible making all high priority alerts equal. For example, an anomalous outbound activity alert from a bank’s development server is possibly malicious, requiring further investigation, regardless if this is a malicious or a benign event. In contrast, integrating threat intelligence that shows the IP addresses are command & control (C&C) sites explicitly targeting financial services organisations indicates this alert is probably a beacon requiring immediate blocking and incident response.
Step Three: Focus on Making Better Decisions
By reducing noise and providing a means to differentiate one high priority event from another, security analysts can focus without incurring alert fatigue. And, when analysts focus, they make better decisions. This is where team orchestration comes in. Every member of the team must ensure they have the same understanding of the situation, the risks, the impacts and next steps.
Team coordination is a top challenge for security and risk managers. To address this, some organisations are instituting playbooks into their SOC and IR activities. These playbooks map out the critical steps to move from detecting a suspicious event to classification, analysis and response. A playbook is a flow model for executing repeatable steps along the path of incident response. These models are extremely helpful for mapping and in some cases automating various stages in the process. However, playbooks are static and limited in their ability to effect team decision making because they lack a key ingredient: real-time, situational intelligence.
Step Four: Increase Effectiveness through Situational Intelligence
There is a difference between getting everyone on the same page and making sure everyone has the information they need to do their job. For example, a threat analyst will be looking for information about active threats in the wild, known threats to the organisation and all the unique indicators of the potential threat actor, with an emphasis on the reconnaissance, weaponisation, delivery and exploit steps of the Cyber Kill Chain (CKC). Contrast this with an IR analyst focusing on Indicators of Compromise (IoC) related to exploit, installation, C&C and actions on objectives steps in the CKC. Both team members are working on the same problem, but their intelligence needs are different, yet, related.
We call this different, yet, related intelligence, situational intelligence: presenting the right information to the right person at the right time. Situational intelligence derives from bringing together the machine data generated by all the security devices (e.g., SIEM, IDS/IPS, endpoint, HIDS and FW) and integrating it with threat intelligence. The goal is to provide situationally relevant insights to the team member analysing the data. Situational intelligence gives the team member the actionable information they need to work more efficiently and effectively as part of a team effort. When all team members have the right information at the right time, and the team is operating on the same page, we call this universal understanding. Universal understanding is a tipping point in team dynamics, when the team is operating at full effectiveness.
Step Five: Collaborate to Make Better Decisions, Faster
So far, I have outlined steps on the mechanics of making better decisions. How do organisations make better decisions faster?
This is where a collaborative investigation workspace takes the playbook concept but makes it dynamic to reflect real-time team decision making and puts it into action through automation. The underlying framework and flow are laid out, tracking the actions and interaction of the team in real time. The seamless collaboration workspace enables team members to make better decisions, faster by providing:
- A global view — A universal perspective showing all teams and team members involved in the investigation and their activities, across the entire organisation, divided by region or specialty focus
- Focused knowledge — Keeping the big picture in mind with consistent, shared global knowledge, while still supporting localised concentration.
- Test, then talk capability — Team members can work through their hypotheses in parallel, test their theories, and then report to the broader team.
Security teams continue to face significant alert fatigue from a continual barrage of high priority alerts. The expanding threat landscape and the increasingly dynamic nature of IT operations are the primary contributors to this alert escalation. The only way SOC and IR teams have a chance to overcome alert fatigue is to introduce threat intelligence to add context, which facilitates prioritisation and triage. Doing this helps to make better decisions, but the team also needs to be aligned and synchronised. This is challenging for many teams because they are dispersed and specialised. They need a consistent way in which to operate, so everyone is on the same page, while still focusing on their role in the decision-making process. Achieving this requires situational intelligence and working within a seamless collaborative environment. In the end, doing all the above positions teams for universal understanding which is the basis for making better decisions, faster.