The Internet and digital change are advancing continuously and the associated expansion of IT infrastructures is proving to be an important factor in the profitability of companies. However, this development is also accompanied by many challenges, most importantly the need to protect their own constantly growing IT infrastructures. Many companies are now even prepared to invest the necessary money in IT security technologies. But even the most expensive technology is not sufficient if there is no one who can operate it properly. This is exactly the problem that organizations of all kinds have to deal with.
Threats are increasing, but there is a lack of qualified security personnel
It is no secret that organizations are increasingly lacking cybersecurity experts. Given the increasing number and intensity of attacks and malware, the lack of qualified cybersecurity personnel is a cause for concern. Public authorities and businesses alike are at risk of significant economic damage and loss of image. The figures speak for themselves.
Studies by Enterprise Management Associates (EMA) and Demisto show a worrisome statistic:
- Security teams are bombarded with an average of 174,000 alerts per week, of which only 12,000 can be processed per week. (Demisto)
- The average time to process an incident is 4.35 days. (Demisto)
- 54 percent of the security experts surveyed feel compelled to ignore important alerts because there are not enough personnel or lack of knowledge to track them. (EMA)
- On average, analysts take more than 30 minutes to process a critical alert, with most of that time being used to identify that the alert was mistakenly classified as critical (46 percent), the priority was
Increase effectiveness and efficiency through integrated threat intelligence platforms
Since neither the number of available people nor the required skills can be increased overnight, companies must increase the performance of existing resources. Threat Intelligence Platforms (TIP)
help security teams automate time-consuming tasks and provide SOCs, analysts or incident responders with the right data at the right time to make quick decisions and take targeted action. Modern TIPs
go far beyond traditional threat data management. Rather, they help security teams accelerate workflows and processes, acting as security operations platforms. The following steps help to significantly reduce the time required for detection (Mean-Time-To-Detect) and reaction (Mean-Time-To-Respond):
Security teams have long suffered from the “Big Data” problem. Many tools generate a lot of data, but most of the time they don’t collect it in one place. When analyzing an incident, teams often have difficulty accessing the right data quickly. A central threat database or “Threat Library”, in which all threat information from internal and external sources (Threat Data Feeds) is automatically collected and stored, allows quick access to all the data needed.
- Enrichment of data with context
Context is particularly important for “alert triage”, i.e. the examination of the criticality of an alert. An IP address classified as malicious is a major challenge for an analyst without further information. TIPs
help to automatically enrich data with context. The harmfulness of the IP address is either confirmed or denied, false positives are detected much faster.
- Prioritisation of threat data
Data enriched with context can be prioritized. A scoring system highlights data critical to your business, reduces noise and helps analysts and incident responders focus on relevant threats.
- Suggestions for solutions
Besides the analysis of an incident, the decision which action to take is one of the most difficult tasks. This usually requires deep knowledge and experience, which is often not available. TIPs
help Incident Responders to take the right action by suggesting solutions, which are imported e.g. using data from the MITRE ATT&CK Framework.
One of the most important measures to increase the effectiveness and efficiency of security teams is to improve cooperation. People have different tasks and need different data. Besides, it often happens that several people are needed at the same time to analyze an incident. It is essential, that all involved persons can quickly gain an overview and access common data. Modern TIPs
and Security Operations Platforms can serve as a basis for collaboration, visualizing data and displaying dependencies graphically. A virtual “War Room” serves here as a central place to make joint decisions.
Security within companies stands and falls with the qualified IT security specialists who operate them and ensure that all relevant processes run safely and smoothly. Although there are still not enough specialists to fill all vacant positions in IT security departments, there are ways and means to counteract the lack of experts. Threat Intelligence Platforms
ensure seamless integration of security-related processes as well as ways to quickly and automatically collect and distribute information on attacks and threats. Despite technology, both companies and government organizations depend on experts in cybersecurity. The “human factor” will be the most important in the fight against cyberattacks, along with all technical tools. These resources must be expanded and strengthened in the future.