Information security veterans have seen threat detection come a long way over the past two decades. After all, it was not that long ago that those cybersecurity professionals painstakingly have to review and audit voluminous logs looking for anomalies. But in the late 1990s and early 2000s, as networks increasingly became the backbone of businesses, this manual process became untenable, giving rise to prevention and detection solutions that automated log review.
Over time those solutions have been refined and updated to the point where they perform remarkably well. Still, large-scale data breaches and high-profile hacks continue to make news and damage organizations. In fact, Inga Beale, CEO for Lloyd’s of London, recently estimated that cyberattacks cost businesses as much as $400 billion annually.
One of the primary reasons these challenges persist is that threat response has traditionally lagged far behind detection; we have focused heavily on one half of the cybersecurity lifecycle while largely ignoring the other half. Information security staffers are still stuck in a manual mode responding to alerts and are spending significant time on administrative tasks like gathering evidence from multiple tools and copying and pasting information into tickets and generating reports.
As the number of alerts IT security professionals receive daily continues to grow, resolving them manually becomes less and less feasible. That is extremely problematic, however, because ignoring just one alert can result in a catastrophic breach. Large organizations are already dealing with tens of thousands of alerts daily—many of which occur in microseconds—so simply staffing up is not a viable long-term solution. As Dr. Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) stated in a recent address, “…today all we can do is…keep throwing human beings at the problem.”
For enterprises, breaking away from the manual model for response—the same way they did years ago with detection—is becoming a necessity. Automated incident response capability that resolves high-volume, low-complexity tasks without human intervention will facilitate increased efficiency and allow security experts to spend more time on more complicated, mission-critical tasks.
To better protect themselves from future threats companies must do more than adopt new solutions—they must shift their thinking about cybersecurity to recognize that detection is just a piece of a larger puzzle and that incident response requires more resources and attention.