One of the biggest concerns of any cybersecurity analyst is whether or not they will be able to stop an attack before it can do any damage. That said, making sense of the flood of alerts is, in itself, a time-consuming task. As networks become more complex and malicious attacks become more advanced, it can become difficult to hit your incident response targets. With the right network security tools, however, your organization very quickly can detect, prioritize and remediate threats.
Triage: The Key to Improved Incident Response Times
Effective network security begins with triaging each security alert as it comes in. In triage, threats must be prioritized based on risk. Any organization's network is going to experience a constant influx of alerts about anomalies or potential threats. Many of these will be false positives – they will ultimately be identified as normal, benign activity. Other threats are going to require immediate attention. Identifying the difference between these threat categories, and doing so quickly, is essential. Triage controls how resources are allocated towards the investigation and remediation of different types of threats. Of course, once threats are detected, they have to be addressed, but there is no organization that has limitless resources. On a practical level, an organization's team responsible for network and information security is going to need to prioritize its potential issues as effectively as possible. Many organizations are not set up to properly triage their security alerts. With a number of security solutions, every alert may appear to be of an equal priority level. Older security solutions are also more likely to give off false positives, and these false positives waste time that could be spent on higher priority issues. When everything is up to an organization's IT team and analysts, IT professionals need to spend a great deal of their time identifying threats, researching them and finding the best solutions for managing them. Even the most effective IT team may not be able to repeat this process for every threat that arrives nor be able to deal with these threats quickly enough while still managing day-to-day tasks. The answer is smarter network security tools – solutions that can be used to provide fast and effective triage. Effective triage means that an organization can scale upwards with fewer resources and, most importantly, limit the likelihood of experiencing a data breach.
Effective Triage = Smarter Network Security Tools
For most organizations, manual triage is nearly impossible – a solution needs to be in place to sort through all of the data and accurately prioritize each alert. Security tools using machine learning can automate much of the process of triage, so your IT professionals can immediately step in with an already prioritized and consolidated list of alerts. With the right network security tool, analysts can sort through the clutter in four ways:
Minimizing false positives
Even a small false positive rate can result in a large percent of alerts being false positives, as illustrated in this blog post. Advanced security tools can filter out irrelevant notifications, so a security incident response will be levied when it is truly warranted. Older systems aren't very accurate at detecting threats, and consequently, they err on the side of alerting in order to be safe. While this may prevent a malicious attack from sliding through, it can also waste a great deal of time due to the large number of false positives. Rather than sending analysts large numbers of potential threats, a good security solution will only send analysts the threats that they truly need to address.
Prioritizing your alerts
High priority threats can be automatically labeled as such, while other mid-level and low-level threats will be listed at a lower priority. Your IT team will not need to figure out which threat should be their priority first, reducing the amount of time they need to spend strategizing. Alert prioritization requires that a security tool be sophisticated enough to not only identify the threat but also the level of risk it presents. This type of prioritization often requires fairly advanced software, as the software needs to be able to conduct an accurate risk assessment associated with security attacks that may not have been seen before.
Offering detailed data
When it comes to reducing incident response time, the why of an alert is just as important (and in some ways more important) than the what. Put another way – analysts need data to do their jobs, and if an alert doesn’t provide any context for the alert, then the security expert has no choice but to go on a potentially wild goose chase. Context could include, for example, the specific actions a suspicious file or URL is programmed to execute instead of a simple indication that the file is suspect. An important component of data prioritization is the ability to identify individual alerts as components of larger attacks and give analysts information about an over-arching incident that may be made up of multiple stages. An older system will only be able to see multiple small, disassociated alerts rather than understanding their context.
Automatically removing smaller threats
Advanced network security solutions also have the ability to automatically remediate some threats as well as quarantine threats for a subsequent investigation. Many well known or easily recognized attacks can now be easily detected and dealt with automatically rather than requiring the work of an analyst. Though threats are constantly evolving, this doesn’t mean that the less advanced threats have gone away; indeed, they're still being used at high volume as they cost the criminals very little in terms of resources. Finally, triage isn’t just about speed – it’s also about the ability to do more with less. Given the fact that network environments are rapidly growing, and given the challenges of finding qualified candidates for open security positions, companies need to be able to manage their networks with limited resources. With more advanced network security solutions, they can quickly and effectively resolve threats before they become serious problems.
About the Author: Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.