Wade Woolwine, director, threat detection & response services, Rapid7
Automation is a critical step in the optimization of a mature incident response program. Automatically collecting relevant data points across assets and presenting them to analysts in a cohesive way absolutely helps to reduce analysis time and improve organizations’ ability to identify incidents.
However, when automation is introduced too early in security program maturation, it leads to obscuring critical process components that may result in complete failures of threat detection and incident response. Organizations must remember that threat detection and incident response programs require a balanced combination of people, process, and technology. Technology serves to reduce the data sets and make information manageable; process ensures that critical steps are in place to reduce failure; and people provide the power to contextualize, analyze, and report on their findings.
For organizations looking to mature their detection and response capabilities, automation of repeatable tasks, and the collection of data is where time should be invested.
A. N. Ananth, CEO, EventTracker
While automation is an essential step in incident response, it is, by necessity, rules driven – and rule creation is a finite activity. Even super villain Jarvis needs direction from Iron Man to do the magical things he does in Hollywood’s imagination. Attacks vary from the cookie cutter to artisanal. Defense requires constant rule updates to handle the variation in banal attacks plus a vigilant analyst to notice the out-of-ordinary and possibly harmful patterns.
So much is clear from observations that the dwell time of malware in the network is averaging more than 200 days, despite reasonable precautions that always include traditional signature-based defenses. New technologies – such as endpoint threat detection – promise to extend the coverage of signature-based defenses, but they too have a limit and invariably require a skilled analyst to drive them. Security technology providers are always anxious to position their solutions as an “analyst in a box,” but the reality is that they are “a box for the analyst.”