Page 18 - Cyber Defense eMagazine April 2023
P. 18

Issue One: Stopping security teams from being overwhelmed.

            Just about every article about cyber defense mentions alert fatigue – because it is a major issue in almost
            every organization. Security analysts are overwhelmed by the volume of alerts they receive and unable
            to do anything to reduce the load. The outcome is stress and burnout – then inevitably a threat is missed,
            resulting in the serious breach scenario that organizations were working so hard to avoid!

            There’s no single silver bullet to solving alert overload. But many organizations are embracing automation
            – leveraging SOAR tools – to eradicate some of the slow, tedious, manual work that analysts currently
            need to perform.

            Simple mitigation tasks – such as isolating a suspect host and disabling compromised credentials – can
            be automated to reduce the risk of an initial attack escalating and give analysts more time to investigate
            and mitigate threats.

            Additionally, the manual component of more complex investigation workflows – such as collecting and
            collating  evidence  –  can  be  automated  so  that  when  an  analyst  starts  an  investigation,  they  have
            everything they need at their fingertips, rather than having to gather evidence manually and/or request
            data from other teams, both of which can add unnecessary delays to investigations.

            Effective automation depends upon accurately identifying the type of threat that has been found and
            having  proven  playbooks  in  place  to  automate  investigation  workflows  and  streamline  the  human
            component of the process.

            The best place to seek automation opportunities is by identifying what are the most prevalent incidents
            that consume the most analyst time. A common example is phishing attacks, where the investigation and
            remediation process are relatively well-defined. Automating or streamlining common workflows like this
            can free up considerable analyst time, while also ensuring consistent response.

            Key to the successful automation of investigation and response workflows is ensuring all the evidence
            needed for a successful investigation is being captured and can be accessed by your SOAR solution.
            Investigations often fall short because critical evidence was simply never collected in the first place. Logs,
            flow  data  (NetFlow),  and  packet  capture  data  must  be  available  in  addition  to  endpoint  data  and
            monitoring tool alerts.

            Packet capture data can be particularly crucial in determining exactly what happened on the network and
            is an often-overlooked source of evidence. One of the first questions asked in any investigation is typically
            “what was this device talking to?”. The ability to quickly access and analyze a packet-level record of
            historical traffic that shows exactly what devices were talking to each other, and what was transmitted,
            can be an absolute game-changer for security analysts.



            Issue Two: Protecting the crown jewels.

            Obviously, it’s important to protect the organization’s most valuable assets above all else. But often the
            focus  is  on  improving  overall  security  posture  and  dealing  with  issues  like  alert  fatigue.  It’s  easy  to
            overlook how to best protect the crown jewels.




                                                                                                              18
   13   14   15   16   17   18   19   20   21   22   23