Page 28 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 28
4. Automate, automate, automate
Automation is another key principle for achieving agile security operations, and it’s one that Microsoft
stresses in its alert fatigue mitigation plan. For most large organizations, automation is necessary to even
begin to alleviate alert fatigue. In a tight labor market, there simply are not enough skilled security experts
available to tackle a problem of this scale unless manual, repetitive processes are automated. For alert
fatigue, automating things like basic alert correlation, checking alerts against watch lists, and
automatically ingesting patches and updates are all activities that should be automated to free up security
professionals to focus on other activities, such as threat hunting and remediation.
5. Include compliance as part of your automation efforts
In heavily regulated industries, many security alerts may directly tie back to your regulatory obligations,
but even if your business doesn’t need to comply with laws like PCI-DSS or HIPAA, new consumer
privacy laws, such as the GDPR in Europe and the CCPA in California, add obligations, and thus risks,
for a large swath of the economy.
As you seek to automate security tasks, be sure to investigate ways to tie compliance into the process,
which will streamline the overall process and reduce risks. For instance, Microsoft’s Purview Compliance
Manager helps organizations integrate compliance with security operations, ensuring that they keep up
with changing regulatory requirements and shifting risks.
6. Intelligently prioritize incident response
Not all alerts are created equal, and even actionable ones don’t all carry the same level of risk. Thus, it’s
important to prioritize the systems and applications that pose the biggest risks if breached or otherwise
damaged.
Prioritizing known attack vectors, actively watching for known high-risk behaviors like privileged access,
and maintaining an active watch list of known high-risk attackers will significantly cut down response
times by focusing your team on the most pressing, high-risk threats.
As you investigate how to reduce alert fatigue, be sure your security provider offers a Configuration
Management Database (CMDB) to provide real-time visibility into all of your networked assets. Ideally,
your CMDB should automatically track the changing state of those assets (patches, updates, etc.) and
correlate them with vulnerability scans and threat hunts.
28