2nd Edition

Tracking the trends and news for IT and IT Security

Paul

The Importance of Workflow Integration for Effective Incident Response

favicon2.pngThe Importance of Workflow Integration for Effective Incident Response>
Mass Technology Leadership Council – Thomas Mulligan
Current Problems with Incident Response Processes The following three statistics alone paint a sobering picture of the current state of incident response: The average time to contain a data breach is 80 days. A 2021 report on incident response found that up to 54 percent of security teams waste valuable time investigating low-level alerts that slow down the incident response process. Enterprises deploy an average of 45 cybersecurity tools on their networks, which makes it more challenging for the technology stack to work together and it also hampers the ability to detect and contain cybersecurity incidents. The Solution for Better Incident Response Integrated Automation

A crucial point here is to concentrate automation efforts between different systems, so that the technology stack works as a cohesive unit rather than the isolated islands that often create bottlenecks in the response process. This means automation should be integrated between the intrusion or endpoint detection level to the SIEM system right through to the ticketing system.Seeking out API-driven solutions for easier integration between systems empowers the level of automation required across the incident response workflow.

Structured Workflows

Formalized, structured, and repeatable incident response workflows are crucial for empowering security teams to respond rather than getting bogged down in triaging alerts. Workflows centered around a series of tasks that incorporate automation can consolidate and convert multiple findings from different security tools into actionable items. Here is a brief example of an automated and integrated incident response workflow in response to a malware outbreak: Detection solution triggers a malware alert and forwards it to the SIEM system based on pre-defined thresholds that indicate malware outbreaks An incident ticket is automatically created for the SOC team The ticket is automatically updated with contextual information about the malware outbreak to enable swifter investigation for security analysts When the individual responsible for the incident decides on the action to take, the ticket is resolved, and the loop is closed by automatically updating the original alert in the detection solution.
Link: https://www.masstlc.org/the-importance-of-workflow-integration-for-effective-incident-response/

Categories:

Tags: