Poor alerts hamper effective automation of threat detection
According to a new report 85 percent of IT security professionals have experienced preventable business impacts resulting from insufficient response procedures, while 97 percent say that more accurate alerting would increase their confidence in automating threat response actions.
The State of the Modern SOC report from Deepwatch is based on a survey by Dimensional Research of over 300 security professionals, working at US organizations with 1,000 or more employees.
Among other findings are that almost all (93 percent) of security professionals are working to reduce response times, and even more (99 percent) either believe they need more automation or want to learn more about automating security incident response in their organizations. Automation would significantly benefit organizations strapped for resources. The research finds that 38 percent of security teams for companies with over 1,000 employees are still not resourced for 24/7 SOC coverage; of that, 30 percent have SOC coverage during business hours only, and eight percent have no SOC.
"Stronger detection paves the way for trustworthy automated response and fast, effective containment of cyber threats," says Wesley Mullins, chief technology officer at Deepwatch. "Modern security operations centers (SOCs) should be equipped with high-fidelity alerts, that include proper contextualization and correlation to provide as clear of a picture of the threat as possible. Not only does that enable analysts to work better, but it also unlocks the ability to implement automated response actions that stop threats with speed and precision. The key is confidence in the detection."
Of the 85 percent of security professionals that reported preventable business impacts arising from insufficient response, 63 percent report consequences of blocked access to their systems resulting in downtime, and 47 percent a negative impact on customer experience.
"With the rise of ransomware and attacks on critical infrastructure, we all know that cyber incidents can have highly disruptive impacts on operations," Mullins adds. "That can certainly cost a business internal productivity and revenue, but in the case of critical infrastructure, these attacks can have much more troubling consequences. No one can prevent 100 percent of threats from entering their environments, so it's just as important to have mature detection and response programs to stop the threats before they can actually damage the business or stop operations. Automating response and partnering with a trusted provider to manage detection and response are both paths to faster threat containment."
The full report is available from the Deepwatch site.
Image credit: alexskopje/depositphotos.com