A lack of business context for the affected service or resource further exacerbates the problem by treating all threats equally, making it difficult to focus security teams on high priority attacks. Frankly, they struggle to answer the fundamental question. "Are we secure, and are things getting better or worse?" because they are unable to establish baseline metrics for their security posture that they can track over time. Without this understanding, they lack the ability to strengthen the infrastructure and improve their response. The results are an overflow of events, inefficient security operations, and missed attacks that increase the risk of data loss or theft.
Implementing automated workflow and systems management capabilities enables you to map threats, security incidents and vulnerabilities to business services, IT infrastructure and even the owner of the asset. This mapping enables threat prioritization based on business impact, ensuring security teams are focused on what has the most impact to the business.
Everyone talks about automation. A lot of people end up automating themselves more work. What do security leaders need to think about to get automation right?
First, you can't automate what you don't understand. If they haven't yet done so, the first steps are to establish baseline metrics for their security postures they can track over time, and develop an incident response action plan that addresses an organization's unique business services and IT architecture. This provides the response blueprint not just for IT and security, but also for other relevant departments such as legal or corporate communications.
The automated response workflow can be customized to the exact specifications of an organization's security response run-book. For organizations that do not have one yet, they can follow the National Institute of Standards and Technology (NIST) best practices for security incident handling. Response coordination and requests that require multiple dependent tasks executed by multiple teams can be automatically created and assigned based on the incident attributes to ensure adherence to the response action plan and keep everyone in the loop. This reduces manual errors or missed communication steps when responding to an incident, increasing productivity and effectiveness.
The platform should track all activities in an incident lifecycle from analysis and investigation to containment and remediation of the incident. Upon closure of the incident, assessments are distributed across the team and a post incident review (PIR) documenting all incident related activities is automatically created as an historical audit record.
The team should realize some important time- and cost-savings benefits immediately. For example, streamlined remediation enables security incidents and vulnerabilities to automatically trigger patching and configuration changes. No more manual processes. Additionally, automating basic jobs improves the bandwidth of the security analysts and response teams to respond more efficiently to attacks and incidents. Teams reduce the time required to identify and contain incidents and vulnerabilities, ultimately reducing an organization's overall risk.
Sign up for Computerworld eNewsletters.