SBN

How Sharing Content Improves Incident Response

Is your security team swamped by an unending deluge of alerts?

79% of security teams feel overwhelmed by the volume of threat alerts.

Too often, security operations (SecOps) teams are inundated with endless security alerts and are forced to respond with inefficient and time-consuming manual tasks. In fact, according to an analyst report by Enterprise Management Associates (EMA), “79 percent of security teams” feel “overwhelmed by the volume of threat alerts.”

Far too many organizations are left with limited resources when it comes to implementing the incident response processes that best meet the specific requirements of their unique environments. Making matters worse, security teams often invest significant amounts of time and resources devising countermeasures to defend against specific threats only to have other teams (both inside and outside the organization) repeat that work to achieve the same security goal, wasting resources in the process.

#SecOps teams need to be prepared to collaborate with others to secure our collective digital future. #SinkOrSwimlane

Claroty

Whether it involves monitoring the environment, informing the organization of attacks and vulnerabilities, or creating standards and protocols, organizations across the globe that face similar issues are feverishly building nearly identical responses to the same threats. SecOps teams need to be prepared to collaborate with other security teams to secure our collective digital future.

The need for collaboration

Effective incident response requires integrating a wide range of processes, people and technologies and likely involves orchestrating myriad tools. #SOAR

Effective incident response requires integrating a wide range of processes, people and technologies and likely involves orchestrating myriad tools. To keep up with the dizzying pace of alarms, complex IT environments, unique internal requirements and a proliferating collection of security tools, SecOps teams often create a seemingly endless playbook of one-off processes and procedures. Because false positives and low-level attacks result in these time-consuming manual tasks and repetitive procedures, security teams often struggle to analyze and remediate novel threats in a timely manner.

Unfortunately, security sharing is still limited because many organizations are reluctant to share information that they believe bad actors could use against them. Consequently, collaboration is often limited to the most high-level interactions (i.e., identifying and sharing the existence and basic characteristics of new threats). This needs to change.

Collaborate to improve incident response

As an industry, we need to move beyond the ‘what’ of a threat and focus on the ‘how’ to prevent it. #SinkOrSwimlane

Threat intelligence is a broad category of information, and much of it can be shared to benefit the larger security community.

Imagine doing an in-depth investigation, hunt or mitigation, and then being able to share that process in real time with another organization, allowing that organization to leverage their skills and expertise to increase the efficacy of your collective security operations centers (SOCs).

While organizations are open and somewhat participatory in sharing some forms of security information, like indicators of compromise (IOCs)—i.e., an IP address, file hash, email address, a domain or a URL—this type of collaboration is focused on detection based on rudimentary, preventive capabilities. As an industry, we need to move beyond the what of a threat and focus on the how to prevent it from causing irreparable damage.

As an example, incident response playbooks reveal what to do in order to respond to a threat effectively. They help security teams select the workflow that’s best suited for a specific threat, but threat response data points can change rapidly. As a result, searching for behaviors instead of specific data points better equips organizations with information surrounding how to respond to and stop threats. Armed with the resources to prevent breaches and hunt for other threats while bolstering the security industry as a whole, collaboration is the future of security.

As the threat landscape continues to grow and evolve, duplicating efforts will only get more expensive and exhausting. Cross-industry collaboration can help us level the playing field.


*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Ellyn Kirtley. Read the original post at: https://swimlane.com/blog/sharing-content-improves-incident-response/