Incident Response — People, Process or Technology?
Published: October 30, 2015
A confession before we start-
“This is a boring topic and I know it.”
Is there anything to debate here? Everybody knows that we need to have people, process and technology to work towards the same goal. So what am I writing this blog for? Even though these three pieces need to work together, it goes without saying that it is hard to build a strategy to make these work together. Before we get to dissect this topic any further, let’s talk about the key challenges in Incident Response (based on our customer and analyst engagement) —
- Time: Some companies call the time after incident alert “Golden hour” and measure it with various metrics like MTTR (Mean Time To Respond). When you are under attack or have been just breached, “time” is something you don’t have. Every minute saved will protect you from further damage and being able to contain the incident.
- Skills: This is coming up as a consistent issue in our customer conversation. Some companies are struggling with finding talented security analyst who can conduct deep investigations and solve issues and other struggle with junior talent who can reduce the load for senior analyst. Either way it is very clear that security analyst role is hard to hire for. Here is some statistics from Bureau of Labor Statistics
3. Lack of Planning: When you are trying to fight a fire all the time, there is no time for planning and post mortem. There is enough material around well crafted playbooks for IR and how to plan etc but in our conversations, they are not utilized for couple of reasons — no time to train the team on these playbooks and secondly the playbooks are documents which do not directly translate to actions.
So now that we have the key challenges laid out — what can we do? We can put technology, process and people to work on solving these. Right? No so easy as it turns out.
Solving these issues require a different approach — Use technology to help with process and people as well.
I am not saying that you can replace process and people but you cannot rely on people to follow process when people are really busy and dont have time to think. What I am proposing is use technology to enforce process and enable people to perform their job.
Comments? Disagreements? Tweet to us @demistoinc if you agree or disagree!
Rishi Bhargava(Rishi Bhargava)
