Of all the security operations center efficacy metrics, arguably none is more indicative than mean time to detect (MTTD) and respond (MTTR).
MTTD reflects the amount of time it takes your team to discover a potential security incident, while MTTR is the time it takes to control, remediate and/or eradicate a threat once it has been discovered.
It is during this so-called “dwell time,” between when an attacker first enters your network to the time they are removed, that can be catastrophic. Not only are adversaries permitted unfettered movement, but they also can commit any number of damaging acts, including data theft, network and user reconnaissance, and additional malware infections.
As you would guess, the longer the gap in detection and remediation, the more money an incident will cost an organization. This “data breach lifecycle,” as IBM refers to dwell time, is unfortunately getting longer, climbing from 266 days in 2018 to 279 days in 2019, nearly a 5% jump. The good news is that companies are becoming more aware of the need to funnel security investments into detection and response and streamline their security operations (SecOps).
Reducing time from detection of initial exploitation to remediation is *the* best way to make security better. We can’t depend on being able to predict and prevent every vulnerability but we can realistically detect when exploitation has occurred and respond before attacker wins. https://t.co/j4m6V0Leor
— Dino A. Dai Zovi (@dinodaizovi) December 21, 2018
While adversaries are getting slicker all the time at flying under the radar, poor showings in detection and response categories typically underscores challenges in your SOC around alert handling, staffing and more.
During the recent Black Hat show in Las Vegas, we sat down with Wade Baker, co-founder of the Cyentia Institute and longtime spearheader of the seminal Verizon Data Breach Investigations Report. He told us that examining the gaps in detection and response that faced breached businesses was always the most fascinating part of preparing the report. Reducing these is critical to minimizing the harm a compromise can cause. It “essentially comes down to security operations,” he said.
Baker discussed what could be holding back SOCs from achieving faster incident resolutions, as well as the changing nature of SOC structures and how he has a “positive outlook” on technologies that bring automation and artificial intelligence to SecOps.
Earlier this summer, the Cyentia Institute prepared a major report for Siemplify. It contained many important findings, as well as recommendations for maturing one’s security operations.
SecOps resources are scarce.
Allocating them optimally requires fully understanding the goals and risks involved in each area of the business. Starting there will enable you to better identify and prioritize SecOps use case requirements.
Every journey needs a good map.
For SecOps programs, an accurate and current inventory of key people, processes, tools and assets provides this map. You’ll surely get lost along the road without them.
Balance structure and strategy.
The structure of SecOps programs differs among organizations, and this factor alone doesn’t dictate capability maturity. Choose a structure that fits your strategy and tailor it to suit.
Collaboration is king.
Yes, ‘context is king’ too, but the universal stress respondents placed on the interwoven challenges of people, process and technology demands more emphasis on ongoing collaboration at all levels of the organization.
Empower your people.
Everyone has trouble finding and retaining SecOps staff, but the skills gap involves more than just headcount. Use orchestration and automation to free up analyst time and energy for higher-order functions that actually move the needle.
Play by the book.
Use playbooks, organized by relevant use cases, to guide and streamline monitoring and response processes. Test them to work out the kinks so you’re ready when it’s time to play for real.
Expect to fail.
Your SIEM technology won’t identify every threat and SecOps programs must account for this. Avoid the “alert or it didn’t happen” fallacy by investing in proactive functions for detecting and analyzing threats.
SOAR to new heights.
Consider whether a SOAR solution should be part of your journey to SecOps maturity. These solutions take alerts from your SIEM, EDR or similar technologies via APIs and enrich them with a variety of data sources. Predefined playbooks then take automated or semi-automated actions to respond to alerts and prep them for analyst investigation. SOAR solutions are not intended to replace analysts or existing detection technologies. Instead, they act as a virtual analyst with the intent to improve capabilities and overall efficiency.
Dan Kaplan is director of content and communications at Siemplify.