New SOC Approach: Automated Incident Response

Share on twitter
Share on linkedin
Share on reddit
Share on telegram

Flood of Alerts Hits SOCs

Cyber-attacks are on the rise and getting more complex every day. Because of COVID-19 pandemic and working remotely, security analysts experience new challenges of monitoring, detecting and responding cyber-attacks. And current incident response approach falls short.

Security Operation Centers (SOCs) are overloaded with constantly increasing alerts. “The Impact of Security Alert Overload” report revealed that most of security professionals have to investigate more than ten alerts per day. And each alert takes over 10 minutes to look into. The SOC teams, whose main task is to analyze real alerts in depth, spend most of their time managing alerts, almost half of which are false positives. To deal with overwhelming number of alerts, enterprises employ more analysts or direct existing ones to ignore certain types of alerts and even turn off the noisy security applications which generate too many alerts. This causes enterprises to become more vulnerable to security risks and threats. However, despite professionals’ efforts, research indicates upwards of 39% of real threats slip past them undetected.

Human Factor

The weakest link in the cyber security chain is human factor. Majority of the digital attacks are attempts to exploit the human factor through very creative efforts. Almost 90% of the data breaches are somehow caused by human errors. The professionals who work in SOCs are no exception to these human errors. Dealing with numerous alerts manually make analysts susceptible to errors.

SOC teams’ main task is to examine meaningful alerts that are worthy of further investigation. But rather than examining real alerts in-depth, they try to manage and detect them. While SOCs are drowning in alerts, being dependent on manpower may not be a reasonable way.

Technology and Automation

It is now clear that the human-based SOC approach is insufficient. A new approach, a technology-based approach, is needed. Technology is an important element that can reduce a SOC’s response time. Automation can help organizations overcome challenges and decrease the time that it takes to contain an incident. Automating cybersecurity tasks contribute to enterprises in several ways. Taking over tedious and mundane tasks, automation can deal with time-consuming tasks that keep security professionals busy and eliminate the chance of human errors. On the other hand, it helps enterprises save money. IBM found that companies that fully deploy security automation have an average breach cost of $2.88 million whereas companies without automation have an estimated cost of $4.43 million.

Technology is an absolute differentiator that helps organizations become more cyber resilient. But having many tools and spending too much on technology doesn’t mean better cyber security. According to IBM’s study, more tools can lead to worse response capabilities. Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools. On the other hand, the use of open, interoperable platforms as well as automation technologies can help reduce the complexity and improve the response capabilities.

Automating Incident Response

We should not fall into a technological deterministic mistake by relying only on technology and automation. Because technology alone cannot solve every problem, it is just to mitigate human-based risk in cyber security. Integrating automation tools into cyber security process doesn’t mean taking human out of the system. On the contrary, it allows security professionals to do real jobs which require human expertise by preventing noise and alert fatigue. Enterprise forensics solutions will help organizations change the structure of SOCs to address noise and fatigue problems. Gartner predicts that to overcome the increasing complexity and impact of cybersecurity attacks, and the increasing complexity of security tools generating alerts, 50% of all SOCs will transform into modern SOCs with new capabilities including incident response by 2022.

One of these capabilities is collecting forensic data remotely from endpoints in an automated way by using enterprise forensics tools. Detecting anomalies and collecting data automatically helps analysts reduce the time spent on managing alerts by eliminating noise and work more effectively.