In an ideal world, security teams would have the time to catch security threats proactively and implement new security measures and best practices, all while responding to every single alert as fast as possible. But the reality is, teams face many complex challenges that result in slow time-to-response.
That can be a frustrating position for the day-to-day security analysts and incident handlers given their job is dependant on how efficient and effective they are at protecting their organization from security threats.
With 2017 here, we wanted to provide a few practical productivity tips for analysts and incident responders to help make their jobs more efficient, effective, and easier.
Here are four ways we recommend:
1. Leverage the Right Security Technologies
The new year is always a good time to evaluate which tools stay and which need to go. Start by taking an inventory of just how many security tools you employ. Based on your team’s size, is that a manageable number, or are there ways to condense functionalities across just a few tools?
Next, how well do they integrate with other tools? Considering security threats are growing more complex, it’s never been more important for security tools to be able to talk to each other and share intel in order to accurately identify real risks. If any of your tools don’t integrate well, it may be time to replace them with more collaborative tools.
Then, evaluate how well your tools address your main use cases and security objectives. For example, if you need to detect threats in the cloud but are still using a network intrusion detection system (NIDS), it’s time to replace it with a host IDS (HIDS), which is better suited for the cloud.
For more detailed info on how to select security tools, read our blog post on this topic.
2. Don’t Work Alone
Security defense must be a team sport. There are simply too many threats today — from ransomware to IoT botnets to phishing — for one person (or even one team) to carry all the burden.
Whether you’re a security team of one or one hundred, it’s important to encourage a culture of security ownership company-wide so that security becomes everyone’s responsibility.
This will help your non-security colleagues understand the importance of measures like secure passwords and multi-factor authentication and enable them to proactively report issues. And especially as your company grows and faces more security threats, a little extra help from teammates can go a long way in keeping up with it all.
If you’re a part of a larger security team or an official security operations center (SOC), be sure everyone on the team is playing an equal role. Again, security is a team sport, so the responsibility should never be tipped too far onto one person’s plate.
To diffuse responsibilities strategically, it can help to map each team member's specific skillsets to the appropriate tasks so that everyone is doing what they do best and contributing equally. Best of all, this can help prevent burnout and keep your security team happy and aligned.
3. Weed Out Inefficient Processes
There are three signals that your security processes are inefficient:
- People are spending too much time on easily repeatable tasks
- Time-to-response is slow
- Alerts are piling up and/or slipping through the cracks
Pinpoint which process(es) you and your team do on a regular basis that fit any one (or all) of these criteria. If a process solves for an important need, but is simply too tedious and thus hindering efficient incident response, it’s time to optimize.
You can do this by either reworking it into fewer steps, or automating it (see below). If a process is no longer relevant or needs to be significantly reworked, it may be time to go back to the drawing board. (Here’s a primer on creating practical security processes.)
4. Automate Tedious and Manual Processes and Workflows
Once you’ve identified your most tedious and repetitive processes, it’s time to automate them. Why? Two reasons:
- To optimize the speed of your security operations
- To free up time to work on more strategic tasks like threat hunting and response
Both of these benefits will get you closer to optimal productivity, and to catching threats faster. In particular, you should be automating:
- Monitoring and detection
- Data enrichment
- Incident response
- User permission management
- Business continuity tasks
A more in-depth look on each of these in this post.
Optimizing Security Operations in 2017
Kick off the new year by following these four steps so that you can finally eliminate inefficient tools and processes and free up time to respond to threats faster.