Resolve Systems hosted and participated in the Incident Resolution Summit in Chicago on September 20th, the only incident response and process orchestration event of its kind. As we come back from the Windy City, Resolve Systems is busy reflecting on the sessions and discussion with the subject matter expert speakers and the industry-leading participants.
With dozens of security operations, IT operations, and service management executives, the event was focused on exploring best practices of incident response, with special presentations by featured speakers Joseph Blankenship of Forrester and Larry Lien of Resolve Systems.
With more information to come, here are our high level thoughts on the Incident Resolution Summit:
Incident Response has to be an Enterprise-wide Objective to Succeed
Larry Lien, Resolve Systems’ CPO, said it best, “You cannot just think about individual technologies or your own team. You need to think across the enterprise.”
One of the speakers at the summit was Lee Bonham, Automation Evangelist and Strategic Technology Executive. Lee presented on how an automation strategy – including vendor selection – needs to be closely tied into not only the technology strategy of a company, but the people strategy as well. Resolve Systems couldn’t agree more! We’ve seen how our customers succeed when their IT operations, security operations, and network operations teams are united. As they work so closely together for incident response, a collaborative, enterprise-wide tool is necessary in today’s environment.
Automation [Alone] is Not Enough
Featured speaker Joseph Blankenship of Forrester presented on the Evolution of Security Operations. He reiterated and expanded on the enterprise-wide importance. Network operations, IT operations, and security operations need to work collaboratively for best success –Resolve Systems being the only platform that can do this on the market today – and also expanded on automation as a strategy as part of security incident response evolution.
Staying on top of thousands of security alerts every day is exhausting for a cybersecurity team. It is nearly impossible to assess, validate, and resolve every incident manually; however, missing even one could be a huge risk to an organization. This is where Security Automation and Orcestration (SAO) comes into play. Forrester defines SAO as technology products provide automated, coordinated, and policy-based action of security processes across multiple technologies, making security operations faster, less error-prone, and more efficient. SAO, and Resolve Systems, addresses half of the top enterprise challenges facing organizations today(1), including:
- Complex IT environment
- Time-consuming tactical activities
- Understaffed team
Automation can help break down silos of information and help security analysts become more productive but will not be a replacement for human analysts. Automation, by itself, is not enough. Going back to a recurring theme of the Incident Resolution Summit, Joseph Blankenship reiterated the fact that building a case for SAO and for security incident response, evaluated processes, and focusing on people as a strategy is how best to accelerate security incident response. Removing or reducing repetitive tasks with automation is a great first step, but building a strong foundation of security incident response – with a platform like Resolve – will reduce a complicated process and consolidate organizational responses.
Automation Doesn’t Need to be All or Nothing
One of Resolve Systems’ customers, a leading provider of enterprise cloud applications, presented on the overabundance of alerts and incidents created by their SIEM. With dozens of tools sending alerts, and a headcount reduction demand, how is a security operations manager supposed to grapple with the increased volume and decreased headcount?
Their solution, as described in the presentation, was not to look at fully automating their security incident response environment, but elevating their analysts to allow them the capabilities to work at a “much higher level”. With a central ticketing platform, role based access, and with automation and orchestration, tier 1 analysts are able to quickly determine if an issue requires escalation. With an automated SOC workflow, this customer is able to better manage security incident response without adding additional engineers and engaging tier 1 analysts to use human-guided automation instead of end-to-end automation – which is something only Resolve Systems is capable of today.
Incident Response & Operational teams are Overworked and Overwhelmed
Overworked by sheer volume of alarms, manual data aggregation, or inability to resolve incidents due to lack of abilities or tribal knowledge silos, teams can reduce the noise of false alarms or duplicate activities to accelerate incident response.
To this effect, Jason Anderson of Datalink presented on having zero dependencies in a Network Operations Center. How did his team go about doing this? Reduce, reuse, recycle! The ability to reduce the noise, reuse processes, and recycle these same processes by leveraging automation saved the company 110 hours a month and gave the power and subject matter expertise to L1 instead of L2 and L3 team members. Resolve Systems calls this shifting left. Without automation, Datalink was resolving incidents in 30minutes. They reduced this time by 90% by prioritizing people, process, tools, and automation – in that order.
With the theme of the event focused on best practices of cross-functional collaboration and process orchestration for IT and security incident response, it wasn’t lost on the Resolve Systems team or the Incident Resolution Summit attendees that two speakers quoted Bill Gates:
“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”
As the most widely deployed IT and Security Incident Response Platform for enterprise-wide automation and orchestration, Resolve Systems has seen firsthand time and time again how efficiencies with automation exemplify process and enables and empowers cross-functional department collaboration and resolution. Particularly in regard to security, prioritizing Automation and Orchestration as part of a corporate, technology, and people strategy and in a company roadmap has the potential to significantly impact operations.
Security automation and orchestration can be the secret ingredient to an effective incident response program, but many teams overcomplicate it or feel overwhelmed by trying to automate every activity in the workflow.
When getting started with security automation and orchestration, think agile:
- Prioritize business drivers
- Identify key stakeholders and process owners
- Examine automation opportunities
- Define requirements with a workshop
- And more