Kevin Whalen hit the nail on the head in his recent post ‘The destructive power of bad investigations” with his comments regarding why investigations fail, and why workflow is so important. It is common knowledge that many security teams are underwater dealing with large numbers of events, false positives etc., and one of the key causes of this is the time it takes analysts to validate and investigate what is going on.
So, why does it take so long? Well, there isn’t a single answer to this but in many cases we are simply using the wrong tools. More often than not we use tools that fit more appropriately into either the detection / prioritization or forensics phases of incident response. What we are doing here is similar to trying to bash a nail into a brick wall with a sledgehammer – we aren’t using a tool designed for the job.
One approach to fixing this is simply to throw more people into our security teams, but this is hard to do as finding the right people, and the budget, is usually a challenge. Taking this approach also gives us a cyclic problem: every time we introduce new technologies that generate more events we need more people to triage and investigate those events. We aren’t fixing the underlying problem here. What we need to do is improve the efficiency of our security personnel, so that they can more readily process the information being funneled at them.
This is where speed-of-thought investigation comes into play. We have all become too used to column / row oriented rendering of security data, and query engines that take minutes (or hours) to deliver the data we need. If we could visualize the threat and traffic data that we already have, so that we can search, zoom and pivot through that data at the ‘speed of thought’ then we can drastically speed up the event validation and investigation process. By doing this we get a number of benefits:
- Our existing security resources can investigate many more events in a single shift, providing better coverage and reducing risk that something is missed.
- Our security resources are more ‘engaged’ in the process as they can follow hunches without the worry that they will waste time and lose track while they wait for a response.
- We can use some of the saved time to make our security posture more proactive. We can look for changes in behaviour around critical assets that might represent threats that would otherwise be missed (hunting).
Tools such as Arbor Security Analytics enable this, and allow us to free our security teams from focusing on the tools they use, allowing them to focus on our real priority – stopping the threats that matter.
The post Investigation at the speed of thought appeared first on Arbor Insights - Our People, Products and Perspective.