The security operations center faces significant challenges in the form of data overload and the resulting increases in ingestion costs. But companies looking to sufficiently protect their systems also face heavy pressure inside their own four walls.
To overcome this challenge, they must manage and alleviate internal pressure that pops up from things like alert overload, skill shortages, analyst retention and growth, and an overall lack of time and resources. It won’t be easy, but as we’ve worked to understand how those pressures manifest within our own client base, we’ve developed approaches that any operation can take to reduce the burden and point their resources in the right direction.
Optimizing alerts and reducing false positives
The increases in data ingestion call for solutions to the challenges caused by a growing volume of alerts pinging at security personnel. It’s vital that companies strike the right balance to manage alert overload without compromising detection. Endpoint detection and response (EDR), for one, is proving to be a critical piece of the equation—our analysis shows that EDR is highly effective and generates lower data volumes and a higher percentage of “true positives” than other detection methods. But for all its upside, EDR is not comprehensive.
To fully and accurately discern false positives from true positives, companies need to take a broad approach that captures malicious activity not only at the target level, but as it enters the environment. Adding additional detection capabilities and employing data standardization can help us quiet some of the alert noise. Holistic Security Operations, hyperautomation and enrichment take things a step further still, helping contextualize alerts with greater detail so that they can be prioritized based on risk, exposure, and the potential business and operational impact.
Time considerations
Companies increasingly face internal pressure from an overall lack of time and resources. So, it’s crucial that they take measures to save time where possible—and where it won’t compromise security. That can include:
- Number of alerts: Finding ways to cut down on the total number of alerts hitting the security operations center is a sure-fire way to get time back. It’s not easy to do it right. As discussed, reducing alert overload requires not only strong endpoint detection but a combination of additional strategies.
- Enrichment, validation, and triage: Companies can accelerate enrichment, validation, triage, and impact assessment by implementing hyperautomation and establishing data standards. That will enable expedited enrichment searches and enrichment from non-standard open-search intelligence or external searches, and will facilitate the use of complex playbooks for validation and triage.
- Collecting context: It’s difficult to enhance security without a complete view of how threat actors are seeking to penetrate defenses. So, companies must take care to collect context and historical data points that not only further reduce alert load, but also help teams train and advance analysts.
Effective response and remediation
It’s important to ensure analysts are well-trained and up-to-speed on the latest risk information, because they play a key role in helping companies more efficiently move through threats and clear the alert queue. Analysts decipher true positives from false positives and escalate cases as necessary.
Those analysts need all the available information and context at their fingertips to do their job effectively. Reducing the time it takes to investigate, respond, or take action will ultimately alleviate internal pressure on analysts, improving operational efficiency.
Yet these are not simple, one-time exercises. Regaining time is an ongoing process that takes a long-term commitment. Companies should aim to find the right dual-focus on high-quality analysis and effective, efficient response—and then to regularly review their programs and capabilities to find new ways to improve and save cost.
Toward truly effective responses
For many companies, the greatest challenge today is overcoming status quo. It’s easiest to continue throwing bandaids on deeper problems, but the successful security teams will be the ones that rethink their strategies from the ground up. The long-term solutions will meld hyperautomation, standardizing and decentralizing data locations, and trained unified AI guides. Those measures will alleviate stress on over-tasked security analysts and allow security teams to more efficiently investigate issues and elevate the ones that present the most risk.
If insanity is doing the same thing over and over again and expecting a different result, companies that continue to wish away alert overload, skill shortages, and a lack of resources are headed for the asylum. It’s time security operations evolve to meet the current demands of the market.
Ad