Accurately  prioritizing  alerts  lets  teams  focus  on  the  most  important  threats  first.  For  this  reason,
            streamlining the triage process is key. With the right evidence at their fingertips, analysts can prioritize
            and  process  alerts  faster  and  more  accurately.  Automation  can  help  with  this  too  –  for  example,
            prioritizing those alerts that potentially threaten important resources, or target known vulnerabilities.


            While improving detection is important, it’s also critical to ensure that when detection fails (and inevitably
            it will) your security teams can go back in time to investigate historical activity – quickly and accurately.

            Understandably, the focus of security teams is often on preventing and detecting real-time attacks. But
            the unfortunate outcome of this “real-time focus” is that putting in place the pre-requisites necessary to
            accurately reconstruct historical attacks becomes an afterthought. By the time more serious attacks –
            often not detected immediately - become apparent, the evidence of what happened in the initial stages
            of the attack often can no longer be found. Either the evidence was deleted by the attacker, or it was
            never collected in the first place.

            The only solution to this issue is to make sure that reliable evidence is continuously collected and carefully
            protected. Network flow data and packet capture data are extremely valuable sources of reliable evidence
            because it is difficult for attackers to manipulate, delete, or avoid being tracked by them. Indeed, the fact
            that this data is being collected is typically invisible to the attacker.

            By recording a complete history of what happens on the network – including all the rich, forensic evidence
            that full packet capture provides – analysts have the evidence they need to accurately reconstruct attacks
            -- even when the initial phase of the attack may have happened a week or a month ago. Let’s face it,
            almost  all  incident  investigation  is  looking  at  historical  events  that  have  already  happened  –  so  it’s
            important to have the evidence you need to be able understand exactly what took place.


            Access to reliable evidence lets analysts rapidly join the dots between what different monitoring tools
            may be showing them and quickly identify the root cause and scope of threats. The quicker you can see
            the connected phases of an attack early on, the better your chance of stopping that attack earlier in the
            kill chain and reducing the impact.



            Issue Four: Getting better ROI from your existing investment in security tools and preparing for
            an uncertain future.

            The security vendor landscape is daunting. There are hundreds, if not thousands, of solutions vying for
            your budget. All promising to remedy the shortcomings of the tools you’ve already spent money on.

            Tempting as it might be to simplify things by looking for all-in-one solutions from a single vendor, this is
            often not a feasible or sensible option, there is truth to the saying “Jack of all Trades, master of none”.
            For  one  thing,  you  have  existing  investments  in  tools  you  have  already  deployed.  For  another,  it’s
            impossible for all-in-one solutions to provide the best option across all the areas of security that you need
            to cover. Even if you managed to find a miracle solution, the cybersecurity landscape changes so quickly
            that what might be fit-for-purpose now will likely be obsolete in a year or two.

            So, what’s the alternative?





                                                                                                              20