24 Jul Stop Security “Self-Sabotage” with a Security Operations Platform
The 2017 Verizon Data Breach Investigations Report (DBIR) is full of so much information; it’s hard sometimes to know where to start to operationalize it. I was reading a great article by Dark Reading’s Dawn Kawamoto recently entitled, “9 Ways Organizations Sabotage Their Own Security: Lessons from the Verizon DBIR 2017,” where Dawn pulled out key insights and provided a roadmap to stopping the most painful self-inflicted wounds. I highly recommend this article as a useful read for security executives and managers as they review their programs for investment and budget allocation.
However, while acknowledging the challenges is a great first step, many get stuck on the next step – the “How?”
Syncurity provides a security operations automation platform, IR-Flow, which quickly and easily adapts to each unique enterprise and orchestrates people, process and technology to reduce risk. As I read Dawn’s article, it quickly became clear we help our customers reduce the risk exposure highlighted in her piece and answer the “How?” question.
The ability to pull alerts from virtually any API or email-based source means IR-Flow can enrich and queue alerts from across cyber, point-of-sale (PoS) and physical security infrastructure. The automated enrichment through integration with IT and security systems, combined with our patent-pending Triage Scoring Engine (TSE), enables IR-Flow to quickly rank and dynamically re-rank alerts according to a company’s unique business risks.
IR-Flow orchestrates alert and incident response, either automatically or with human approval, so that potential threats are mitigated faster – with a complete, auditable system of record for reporting, analysis and compliance.
In the below chart, I have outlined the self-inflicted wounds Dawn listed in her article and how Syncurity addresses those challenges. If you want to learn more about how IR-Flow can help your organization, contact us today.
DBIR Identified “Top” 9 Gap
|Slow response to security alerts||Automated Alert enrichment, risk-based Triage Scoring Engine (TSE)||Shrink ”eyes-on” time from hours to minutes, work highest risk alerts first|
|Under-estimating DDoS volumes||TSE to score alerts as higher risk based on volume||Identify DDoS risk earlier, avoid outage through orchestrated response|
|Defending the Phish||Auto/User-submitted Phish Playbooks||Reduce phish victims through rapid analysis and remediation|
|Not Properly Prioritizing Patches||Enriching, risk-scoping alerts w/TSE based on CMDB vulnerability status + TIP exploit data||Quickly recognize and remediate high-risk user activity|
|Retail users email and surf on Point-of-Sale (PoS) Networks||TSE to score PoS users/assets alerts as higher risk||Quickly recognize and remediate high-risk user activity|
|Physically inspect ATMs, PoS||Physical security playbooks||Lessen risk through automating alert triage and incident response|
|Healthcare lacks encryption||TSE to score alerts as higher risk based on asset status||Shorter time to containment for alerts/incidents on unencrypted hardware|
|Missing cyber spies||Alert Threat Intelligence enrichment, dynamic risk scoring (TSE) using source confidence||Quick and more accurate identification of potential state actors|
|Education users need schooling||Automated phishing protection updates to security controls via orchestration APIs||Automatic, rapid blocks for new URL/domains identified as high-risk|