Response time plays a critical role in determining the severity and repercussions of a cybersecurity incident. The longer a threat goes undetected within an organization’s network, the more damage it can do and the more costly it will likely be to recover from. Unfortunately, security teams face a myriad of challenges that make rapid and effective incident response difficult.
The first challenge security teams are grappling with is information overload and alert fatigue from the massive amount of inbound security alerts. Yet, many organizations are still deploying more security tools in the quest for better visibility and control. At the same time, the threat landscape continues to grow more challenging with greater volume, variety and velocity of attacks. Thus creating a vicious cycle leaving many security teams struggling in their attempts to identify, protect, detect, respond and recover.
As these security alerts come in, analysts need context to determine if the alert is a genuine threat or a false positive. To achieve this, they may need to collect and assimilate data siloed in multiple devices or tools. On average, an analyst can realistically investigate 20 to 25 alerts in a standard workday. However, the average organization’s security operations center (SOC) receives over 10,000 alerts per day, and the biggest organizations can see over 150,000. With this volume of information, its easy to see why a majority of organizations simply do not have the bandwidth to detect and mitigate threats.
Because a single alert may mean the difference between a major incident and missing it entirely, it is critical that security teams have complete visibility into these alerts. While attacks are becoming more effective, most can be mitigated if the security team is looking in the right place at the right time. In order to be effective, security teams need more efficient means of triaging and investigating alerts that enables them to keep up with the deluge of security data.
In addition to having an overwhelming number of security alerts to investigate and track, organizations are dealing with a growing cybersecurity skills gap and simply cannot acquire the cybersecurity talent required to address the volume of threat data they have. A recent study found that 68% of organizations struggle to recruit, hire, and retain cybersecurity talent. Further, as of March 2020, 73% of companies had at least on intrusion/breach in the last year that can be at least partly attributed to a gap in cybersecurity skills.
Accurately differentiating between a true incident and a false positive requires extensive knowledge and experience, and that’s why sophisticated threat actors have shifted to “low and slow” attacks that hide among false-positive alerts. This makes it difficult for other IT staff members to step into a security role. The cybersecurity skills gap is exacerbated by the fact that many organizations rely on manual processes for alert triage and remediation. Manual processes lead to long incident response times, which dramatically increases an organizations’ risk.
Beyond the challenges of performing incident investigation and response with a stretched cybersecurity workforce, security teams are also responsible for demonstrating compliance with an increasing number of security regulations. The EU’s General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) are just two of many such data protection regulations that make a security team’s job more difficult.
The challenges posed by these regulations are twofold. First, quarterly and annual auditing requires security teams to generate and collect detailed data demonstrating how their security controls meet a given regulation’s requirements. This often involves mapping the general regulatory requirements to specific security controls on the company’s network, and then gathering the data pertaining to those controls. Second, mandatory breach reporting puts acute time pressures on the security team.
For example, the GDPR requires an organization to report a data breach within 72 hours of its discovery. An accurate report requires a comprehensive investigation prior to the deadline. Each regulation has different reporting requirements and regulatory authorities, which can make manual breach notifications a complicated and time-consuming process. Because of their legal and potentially material financial implications, compliance tasks often trump the day-to-day work of the security team. Any time spent researching a particular regulation, mapping security controls to regulatory requirements, and demonstrating compliance with the regulation takes away from the team’s ability to identify and respond to security incidents.
The number and complexity of these regulations continues to grow. An organization may be responsible for compliance with regulations in every jurisdiction where it operates, and the growing list of state, national, regional, and industry-specific regulations makes achieving and maintaining compliance increasingly difficult.
Between an increasingly complex threat landscape that has exponentially increased the number of security alerts, the growing cybersecurity skills gap, and the complicated compliance and reporting regulations security teams must abide by, organizations are struggling to ensure rapid and effective incident response.
Fortunately, the integration and automation of security information and event management (SIEM) can go a long way to prioritizing alerts and simplifying incident response, addressing many of the challenges outlined above. Further, security leaders must leverage the capabilities of automation and other AI-driven innovations to alleviate overburdened security teams.
Find out how Fortinet integrates AI and machine learning capabilities across our Security Fabric to detect, identify, and respond to threats at machine speed.
Find out how FortiSOAR enables security leaders to accelerate incident response, unify operations, and eliminate alert fatigue.