According to a report by Kaspersky, the average cost of a data breach in North America was $1.3 million for large enterprises and $117,000 for small and medium sized businesses. With global spending on cybersecurity products and services predicted to exceed $1 trillion over five years, from 2017 to 2021 according to Cybersecurity Ventures, it's safe to say that security is a primary concern for organizations today.
Recent incidents like the WannaCry ransomware attack, the marketing database breach at Dun & Bradstreet, Yahoo’s official confirmation of its 2013 data breach etc. are only tip of the iceberg.
As IT leaders are compelled to disrupt and innovate continuously, chances of vulnerabilities and risks continue to escalate. And let’s not forget the emerging complexities arising due to the usage of IoT enabled connected devices, rise of cloud adoption, hybrid IT, expansion of enterprise mobility, BYOD policies, and influx of numerous fragmented SaaS applications within the enterprise IT framework.
The World Economic Forum rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today. Before delving into the need for automation your enterprise security response, let’s take a quick look at common vulnerabilities and threats.
If you are IT or security personnel, you may be using several protection, detection and visibility products in your organization. An average enterprise today uses 75 security tools (Source: CSOOnline). This results in redundancy and the need to hire even more security experts to manage these products.
These tools are often siloed and generate significant amounts of data and events, overwhelming both IT and security teams who have to manually categorize and prioritize incidents based on their risk profile. Although organizations are investing heavily in prevention, they still lack the capability to contain breaches. Learn about INRY's approach to safeguard Enterprises against threats and vulnerabilities.
According to a 2017 survey by Ponemon Institute, it took respondents 191 days to spot a breach caused by a malicious attacker, and 66 days to contain it. Another survey by eSecurity Planet reveals that 98 percent of North American IT professionals admitted having challenges with their incident response capabilities.
Let’s dive deeper into common reasons that typically cause delays in responses or at times, lack of a security response altogether.
As seen in the image above, a typical security incident investigation process has 10 stages. Starting from prioritization to categorization to looking for file hashes, every stage has an analyst assigned to it.
As a result, there is a lot of manual and time consuming work involved which subsequently also increases the occurrence of human error. Moreover, your team’s productivity also decreases as they are not able to devote their time to business critical work that does require human attention.
Traditionally, security responses are high touch and reactive by nature. They are mostly managed through phone or email conversations and tracked using spreadsheets. Typically there is a lack of documentation or knowledge base leading to a reliance on historical knowledge.
In many organizations, IT and security teams work in silos, even if they may be seated right next to each other, resulting in flawed coordination during the investigation process. This lack of robust structured workflow and coordination among teams significantly affects response times.
All of these factors combined not only increase your time to response, but they also stop you from nipping the threat in the bud by being able to prevent an attack from happening in the first place and reducing overall impact.
To understand this better, let’s take a look at a typical SecOps scenario: Phishing
Hackers use a variety of phishing techniques such as:
Companies usually take numerous steps to prevent phishing attacks like:
For example: Despite all these precautions “Joe” from marketing accidentally clicks on a malicious link and reports the incident via email or call. From there, the Incident Response Team follows the playbook. As evidenced by the workflow above, there are many manual processes in which each step slows down your team’s ability to resolve the threat efficiently.
A powerful security response strategy isn’t just about identification, protection and confinement. It also involves automating those specific processes within your response workflow that don’t specifically require human intervention.
Rapid remediation is a critical part of a successful cybersecurity protection program and organizations need to have strong response mechanisms in place. Think about it, with the constant disruptive technology landscape, new threats are bound to emerge and hackers will find ways to circumvent your defense systems.
Given the current environment, it is safe to assume that attacks are likely to happen and hackers will always be a step ahead. You can familiarize yourself with existing attacks, targeted assaults or emerging methods (we don’t know what we don’t know).
But it's not the occurrence of the attack that needs to be your immediate concern, it is:
Hiring more security analysts can be deemed as one option, but this will significantly increase your operational costs and resources. Moreover if your security event response doesn’t follow a blueprint, bringing more people for managing new tools or processes will add to the existing chaos. Add to that, there is also a serious shortage of cybersecurity skills in the market. In a recent survey by ESG, it was found that 51% of IT and cybersecurity professionals claimed their organization had a problematic shortage of cybersecurity skills.
By strategically introducing automation into your security response response strategy you can:
If you have a definitive blueprint for orchestrating security event response, check which areas can be automated and which ones need an analyst's brain. This doesn’t mean you use a machine to orchestrate the entire activity. Take a bite sized approach. Shortlist those processes which are:
Perhaps a machine can take over identifying and extracting IPs or running repetitious processes.. Analyze the before and after impact of automating each process to the average response time.
Achieving the perfect blend of human involvement and automation in your response framework is tough, but with the right automation and orchestration platforms, it is now achievable. In fact, according to Gartner, by 2019, 40% of large enterprises will require specialized, automated tools to meet regulatory obligations in the event of serious information security incidents.
Business-centric digital transformation principles can be applied to Security Operations as well.
Some of them can include:
We believe for an organization to achieve these principles, you need to:
Again, in order to support such transformation, using the right automation and orchestration platform is advisable.
You may consider ServiceNow Security Operations, which enables you to connect your existing security tools to prioritize and swiftly respond to security events, based on their potential impact on your business. It brings together the power of the NOW platform to drive transformation.
Please enter your email address below to get INRY Insights delivered to your inbox.
We bring the power of ServiceNow and deliver value to our clients through a consultative approach.
Get INRY to help your organization achieve your goals with our in-depth expertise and a methodology focused on incremental delivery of tangible value.
© 2020. All rights reserved. All product names and registered trademarks are property of their owners.
Latest InsightsInformation TechnologyEmployee Experience Security & RiskBusiness Operations INRY Apps