Three major security operations mistakes

In a recent webinar, Swimlane Founder and CEO Cody Cornell discussed four major causes of unsustainable security operations: an unprecedented volume of attacks, alert fatigue, antiquated response tools and lack of qualified cybersecurity staff. To deal with these challenges, organizations have tried implementing a number of different security methods—some of which work and some of which can actually do more harm than good.

In the webinar titled, “Automating Security Operations,” Cornell explored three mistakes organizations generally make concerning their methods for overcoming these challenges, and they are explained below.

1. Focusing on alert prioritization, instead of 100 percent of alerts

Many companies rely on a prioritization method in order to identify which alarms they should be working on and in what order. The problem with this approach, however, is that considering the massive volume of alarms receive, organizations can only manually handle so much. This leaves a number of alarms unanswered. Besides being general malpractice, as unmanaged events are left unattended in the network environment, this can pose audit risks and lead to many unintended consequences for organizations.

As Cornell explained, by the time an organization finally gets to its low-priority alerts, it will have experienced an extremely long dwell time. In other words, the time between when the suspicious network activity was detected and the time it takes to respond to the alert will be far too long. This reduces the organization’s ability to contain the threat at the earliest level.

“In order to support the number of alerts that we’re seeing and to increase the capacity of our teams to respond to alarms, we’re looking at ways to amplify, optimize and streamline the way that organizations are responding to all security events and activities,” Cornell said. Today, alert prioritization simply doesn’t cut it.

2. Ignoring half of the security operations lifecycle — incident response

Organizations today use a number of modern day detection technologies to identify security alarms, activities and tasks—from user behavior analytics to security information and event management (SIEM), endpoint detection and response (EDR), and threat intelligence tools.

Many organizations have invested heavily in such detection tools over the last couple of decades; however, there seems to be a paradigm shift occurring now in which organizations are realizing that it’s the backend of the lifecycle—incident response—that needs to mature. For organizations ignoring or failing to realize the need for sophisticated backend security operations, the consequences will likely be heavy.

3. Relying on antiquated and/or manual response tools

It’s not uncommon to see organizations still using outdated response tools, like notepad documents, spreadsheets or old ticketing systems, to resolve threats. Or, some organizations still leverage command line actions for every alert.

These tools and mechanisms are still in place for these organizations simply because this is what their front line staff is conditioned to know and do. Research has shows that on average organizations deal with upwards of 10,000 security events per day, which could equate to an impossible 333 hours of work per day. It’s clear that manual and archaic processes are unrealistic and will do more harm than good.

At the same time, the number of people able to handle security alerts and tasks how they need to be is small, and it can be expensive for organizations to hire such trained individuals. It is evident this is a massive struggle for organizations today.

Do you want to learn more about security operations best practices or an effective alternative to these potentially dangerous methods? Access Swimlane’s recent webinar “Automating Security Operations.”