Why even 99 percent isn't good enough for incident response

In most professions and industries, a 99 percent success rate for any objective would be more than adequate—it would likely be unprecedented. Security analytics operations and reporting, however, is an area where that leftover 1 percent can spell disaster for an organization.

Security operations centers in today’s enterprises are inundated with thousands of security alerts every day from detection tools and, in many cases, are suffering from information overload. With so many alerts to investigate, classify and generate reports for, the reality for cybersecurity professionals is that some of those alerts in the queue are going to be ignored, either unintentionally or because there simply isn’t enough time to investigate them thoroughly.

The problem for these often overwhelmed organizations is that ignoring even one key security event, regardless of severity, can be the difference between a thwarted and successful attack; and as recent high-profile data breaches have proven, a successful attack exposes an organization to tremendous risk and can rock it to its foundation.

Faced with the alert deluge, companies are essentially left with two options:

  1. Spend capital to hire new information security staffers
  2. Increase capacity and productivity for existing staff

While having a few extra sets of eyes on cybersecurity is certainly not a bad idea, the numbers make clear that even the largest organizations are not going to be able to staff proportionally to the increase in cyberattacks. Symantec’s 2015 Internet Security Threat Report, for example, found that attacks on big businesses rose 40 percent in 2015 and total ransomware attacks grew by a staggering 113 percent last year. In other words, ‘Option A’ alone is not a sufficient strategy.

One way for organizations to ensure no alerts slip through the cracks is to automate incident response for the more administrative tasks and low-priority alerts so that they can be addressed in near real-time, freeing up senior staff for the more sophisticated events. Put another way, organizations can benefit greatly from adding the same ‘machine speed’ capability to threat resolution that exists in today’s excellent threat detection solutions.

If security operations management reaches a point where all alerts are addressed either by threat resolution tools or information security professionals, organizations can ensure no single alert is ignored—in other words, going from 99 percent to 100.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Cody Cornell. Read the original post at:

Avatar photo

Cody Cornell

Cody is responsible for the strategic direction of Swimlane and the development of our security orchestration, automation, and response (SOAR) platform. At Swimlane we advocate for the open exchange of security information and deep technology integration, that maximizes the value customers receive from their investments in security operations technology and people. Collaborating with industry-leading technology vendors, we work to identify opportunities to streamline and automate security activities saving customer operational costs and reducing risk.

cody-cornell has 132 posts and counting.See all posts by cody-cornell