Improve Response in the Threat Detection-Response Equation
Operationalizing data at the same scale it’s collected is vital, yet 55% of organizations surveyed by analyst firm Enterprise Strategy Group (ESG) said they don’t have the skills or the time to create automations or playbooks to manage all threat data at machine speed.
Jon Oltsik, Senior Principal Analyst and Fellow at ESG, and Marco Garcia, Field CTO at Torq, will explore the landscape of EDR and XDR systems and show how teams can approach the challenges of operationalizing the threat data they provide with different approaches to automation.
ESG survey data takeaways:
- 80% of those surveyed use more than ten sources and would gladly add more
- Tools like XDR platforms help improve these datasets
- More than half of organizations use some form to supplement existing tools and bolster investigations
Read the full survey in the SOC Modernization and the Role of XDR eBook.
Webinar Q&A:
On slide three, you showed the distribution of sources, with some organizations having as many as 25. How realistic is it to fully utilize that many sources in normal analysis?
- Jon: It is very realistic, but it is not easy. If I am an analyst, I need to understand a lot of different data points as I do investigations, and therefore I am going to need these different data sources. But there is an assumption there that the data is there in a format I can use at a time I can use them, so really that is the challenge there. Marco, what do you think?
- Marco: Absolutely. We do see organizations with between 21-25, and those organizations are very large companies that are multinational companies that have different pieces of technology stack across their business unit, so many of them sometimes don’t have the choice to minimize or streamline those components and the ones that end up with all of the data set to look after is the operations teams and how do they look after them? Via many of the technology and techniques that Jon mentioned here like XDRs are assisting with some of those pieces, a combination of creating a funnel, with, for example, something like a simp piping it into an XDR, including automation in between to reduce the false positive ratio is important. It is global like Jon mentioned; it is not simple because the more technologies, the more challenges you have and the more risk, but it does exist, and we have seen that also on our side.
You noted that process maturity was one of the greater impediments to automation. Can you offer any resources or guidance on how teams can achieve that maturity?
- Jon: So, first of all you should asses your processes. What you are looking for are instances where one person says I will take this and they may have their own methodology, they may have their own tools, and you have relied on them to do that for years, but it doesn’t scale, and of course, if that person leaves you are in trouble. So process assessment first, and then there are plenty of best practices whether it is the NIST framework or ISO, there are lots of different models. Look at their processes, look at some of their best practices, compare them with what you are doing and see what you can do to align better. And of course, like we said, process automation is key, so as look and as you assess these processes, you are looking for opportunities to automate not only individual tasks but across the process end-to-end.
- Marco: Right along the lines of what Jon was mentioning is what we see also from our side when we speak to customers, “I don’t have a well-defined process; how do I respond? How can I create an automated process around something I don’t have written down?” First of all, some of the guidance we share with them is, technically, you do have a process, even if it isn’t written down. So maybe the beginning component is to allow the time to sit down and think about that repetitive process that you do in your mind, then think about how you can operationalize that component that maybe your team is doing on a day-to-day basis by pretty much just muscle memory. Then once you start gaining some of that time back in the smaller low-hanging fruit automated processes, then start going after the bigger ones, and those bigger ones, just like Jon said, should align to some of the best practices you are seeing in the industry, some of the frameworks that are coming up.This is the journey we are seeing some of our customers taking, and even though they said we don’t have a process by the end of like 30-days, they are able to achieve at least 20-25 automated processes without them having a documented process before. So it tells you that taking a bit of a step back and revisiting those things you do out of muscle memory and start picking up the simple things you can automate will start saving you the time you need to tackle the bigger ones.
How are teams measuring whether automation has been “effective”?
- Jon: Well, there are a couple of things that came out in this presentation that are measuring the mean time to detect and mean time to respond. But also, productivity and throughput, if an analyst can do some number of investigations per day, can we increase that? So we are looking at that. The other thing is, making the junior people more productive. It is not uncommon that a Tier 1 Analysis is escalating a large portion of the events that they see or the alerts that they see. Is there a way we can automate the process to increase or decrease the number of alerts they can elevate or take action on their own? So there are a lot of creative ways to do that, and as we saw from the benefits, we could probably go back to that slide and look a the benefits and talk about metrics to measure that across the board. But Marcos, I am sure you have lots of experience here.
- Marco: Absolutely. Metrics around ROI need to be visible to the organization in order for them to be real. Otherwise, one of the things I remember looking at is if you have a feeling something is going right, it probably is, but can you prove it to somebody that it is going the right way? In order to prove it, you need to have that data, metrics, and pieces in front of you in order to show there is actual proof of value. The way we see customers showing that improvement of value is by providing something as simple as reporting on how much time an automated process kicking in is saving their organization; something as simple as that is very powerful. Then start showing that to match the organization’s reality, it can show you how time much you are saving on a day-to-day basis, monthly basis, and quarterly basis, and then that can be calculated into a dollar number in order to show the value of what you are getting out of an automated process. It has to be something tangible and a means of measuring it, which is something we are going with our customers.