The average enterprise receives some 17,000 malware alerts on a weekly basis, according to HPE, with 81% of alerts turning out to be false positives. Because of the sheer volume of data, administrators end up looking at less than 10 percent of the alerts they receive, creating an enormous risk exposure for organizations. Chasing down these alerts is inefficient and costly, with organizations spending an average of $1.27 million in wasted manual effort, according to the Ponemon Institute.
Given the scale of alerts being generated, its clear some amount of security automation is required to deal with this challenge. And while automation can be very powerful in providing context enrichment and replacing manual, repetitive processes, automation alone is not enough. According to NIST’s Cybersecurity Incident Handling Guide, “organizations should attempt to achieve a balance of automated information sharing overlaid with human-centric processes for managing the information flow.”
Unlike some security vendors that promote a “lights out” approach to automation for the majority of the incident response process, Syncurity incorporates human insight at critical points along the process to ensure the appropriate incident response workflow. Automation-first vendors risk the very real possibility of not escalating false positives — or worse — missing true positives by executing pre-determined incident response algorithms devoid of human judgement about risk.
Syncurity’s IR Flow defines custom workflows for alert and incident types, in which the analyst determines which steps are executed or bypassed, which system integration actions are triggered in advance or in real-time and what tasks are automated vs. manual, based on their judgement. This selective injection of human judgement is necessary to truly discern the potential risk and disposition of any given alert, as well as the appropriate decision to escalate to an incident.
Risk is a relative measure, defined by humans, and is calculated differently for each enterprise. IR Flow enables analysts to represent relative security risk through a series of custom-defined parameters that are then applied to every incoming alert using a patent-pending technology called the Triage Scoring Engine. This systematic application of human judgement dramatically reduces alert dwell time, quickly elevates high-risk alerts and improves the effectiveness of the entire security operations function.