There has been a lot of discussion lately about the cyber skills shortage. There’s no question that our industry must do more to provide education about cyber security and to encourage more students to launch on this path. But in the meantime, there is much that can be done to improve efficiency and alleviate the shortage by changing the way we work.
Today there is a mismatch between the complex, multi-stage cyber attacks and our disjointed approach to containing them. According to a 2016 survey by PWC, 91% of organizations follow a risk-based cyber security framework, yet 38% more incidents occurred in the past year and theft of intellectual property grew by 56%. The typical security team uses a number of silo point solutions that generate hundreds or thousands of alerts each day. This approach to security operations is taking its toll. Some effects include:
- Alert fatigue – Due to the high rate of false positives, large numbers of alerts are simply ignored.
- Lengthy manual investigations – Data related to security incidents is either partial or not readily available, while it’s hard to cross-reference between data from siloed systems.
- Lack of integrated forensics – Network and endpoint forensics are often handled in separate systems and are limited to post-attack analysis.
- Incomplete attack picture – Analysts lack a single shared repository where all evidence is documented across all sensors.
- Shortage of resources and skills – Few organizations are able to source enough skilled security analysts to use the tools they already have to investigate the incidents that are surfacing.
To even the battlefield, organizations need a different approach for detecting and investigating APTs and other advanced cyber attacks.
A Different Approach: Intelligence-Driven Automated Investigation
The current generation of security technology undoubtedly detects a great deal of important information. We fail to make the most of it because the process of investigation – of sifting through the alerts, finding the connections, collecting forensics, determining the storyline of the attack – is taking way too long.
Fortunately, there is a better way. By automating security investigations, organizations can detect attacks earlier while dramatically improving the efficiency of their security operations.
The 6 Principles of an Effective, Automated Security Investigation
- Automate where it hurts the most
- Document everything to show the evidence and the rationale
- Combine the strengths of humans and machines
- Collect the right information
- Create unified workflows
- Model how attacks operate and use machines to mimic the way analysts investigate
These 6 principles drive an intelligence-driven approach to automated investigation that provides analysts with clear, complete storylines, along with all of the leads and evidence they need to make informed decisions. With intelligence-driven automation, every alert is investigated. And even less-experienced analysts can handle a large percentage of incidents.
To learn more, read our new white paper: Six Key Principles that Dramatically Improve the Efficiency of Security Operations.