Security operations efficiency: Do more with your existing staff

Assembly line workers at the Ford Motor company apply Frederick Taylor’s “Scientific Management” principles on an auto assembly line.

You’re thinking like Frederick Taylor, aren’t you? “Wait a minute,” you protest. “Who, what?” The name may not ring a bell but his thought process, which made its debut in 1909 is probably having more of an impact on your IT security team than you realize.

Taylor was the father of “scientific management,” which posited that there was one “right way” to perform a task. Henry Ford, the father of mass production, was one of his biggest fans.

“Taylorism” was the precursor of today’s business process modeling techniques. It involved in-depth studies of motion and time, where men with stopwatches would observe workers performing tasks. After a scientific analysis, the “time study man” would recommend the correct procedure, never to be altered. For better or worse, we’re still living in Taylor’s world.

IT security workflows

IT security workflows (another term that has its roots in Taylorism) are based on the idea that each step in a process should take a specific amount of time. In alert management, for example, there needs to be a few minutes to assess the threat, a minute to open a ticket, a minute to send an email and so forth. The more steps there are, the more time it takes. If assessing a threat takes five minutes, a team member can do approximately 12 per hour. If you have 1,000 threats a day, you will need about 84 person-hours per day to take care of them (i.e. a team of 10 working full time).

If you have 10,000 threats a day, like many large organization do, you are going to have to ignore a lot of them because even if you have the budget to hire a staff of 100 security operations personnel, the chances are you can’t hire and retain 100 qualified employees. In fact, according to a 2015 analysis of Bureau of Labor statistics by the Peninsula Press, there are currently over 209,000 unfilled cybersecurity positions in the U.S. alone. The answer to more security alerts cannot always be to add more staff.

Security operations efficiency is an appropriate approach to Taylorism – but with some limits. A process can only be performed a certain number of times in a given period. In the current era, we’ve updated Taylor’s concepts with phrases borrowed from tech, like “I have bandwidth,” or “I’m running out of cycles.”

Automated incident response for manual, tedious tasks

Automated incident response and security orchestration can radically improve the efficiency of your security operations team by automating otherwise tedious and time-consuming security management tasks and centralizing the data from disparate tools to allow your staff to quickly make informed decisions when needed. Now, the security team is able define and model its alert response processes within the software and automate them.

With automated incident response, your security operations team can automatically:

  • programmatically open and close tickets
  • send emails to key stakeholders
  • process suspicious email attachments for analysis
  • automatically execute a remediation plan and/or flag an incident for additional review
As Is With Automation
Time to process alert (Hours) 0.1 0.01
Alerts processed per person/shift 80 800

This is great news for security managers. As the simple table shows, if the time to process an alert can be sped up from .1 hours to .01 hours with automated incident response and security orchestration, the alert processing capacity of the IT security staffer grows tenfold. Now, security operations efficiency is improved and a team of 10 can handle 8,000 alerts a day.

Better threat assessments through context and focus

Automating incident response helps you get more out of your team, at least according to the raw numbers. Frederick Taylor would be proud of the raw 10X efficiency gains. However, being purely Tayloristic about threat management ignores the mental strain of overseeing the process.

Under a manual alert management process, the mental strain overhead is immense. Security alert processing is not linear. Incidents stop and start. People get consulted and make changes to tickets over time. The number of details and work tracks the IT staffer has to mentally track can explode. If someone is following 100 alerts, each of which has 5 processing steps and, for the sake of argument, three stakeholders with input, and that’s 1,500 details to stay up on.

Even with security automation, the mental overhead challenge still exists. If each of your staff now manages 800 alerts a day but lacks an effective way of visualizing what’s going on or tracking follow up process steps, they will get confused, stressed out and make bad decisions using incomplete or wrong data. That’s not good.

Introducing Swimlane for automated incident response

Swimlane centralizes security operations activities with its security automation and orchestration solution. Swimlane tracks all enterprise security tasks and integrates with all your disparate security applications to present a holistic view of your entire security situation. It provides centralized access to cases, reports, dashboards and metrics for both individuals and teams. This centralization and visual modeling gives security staffers the ability to oversee large numbers of alerts with all the contextual information they need to make good decisions– all in a single pane.

What’s more, Swimlane allows for centralize orchestration of all your remediation tools, responses and reporting. Working with Swimlane, the security team can speed up its pace of threat response without being overwhelmed.

Swimlane is the centralized automated incident response and security orchestration solution with an intuitive visual interface, and flexible advanced integration that keeps the alert management process highly automated even when it frequently changes. Improve your security operations efficiency with Swimlane and ensure that no alert gets left behind.

To see if security automation and orchestration would be helpful to your organization, contact us at 1.844.SWIMLANE or schedule a demo.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Kevin Broughton. Read the original post at: