5 ways analysts can find priority threats

2015 was labelled by many as the 'year of the hack'. Unless organisations sort out their security, 2016 is going to deliver yet more of the same.

Enterprise security attacks are becoming more targeted and harder to find than ever before, but if effort is only put in on an ad-hoc basis, a security team is only going to get ad-hoc results. Preventing attacks is not easy, but security professionals can learn how to better respond to attacks within a network through implementing predefined procedures.

So how can this be possible? How can data analysts be the most efficient and become the 'needle within the needles' to find priority threats within a haystack of data?

In other words, as it becomes more difficult to prevent attacks, security professionals must do a better job responding by reducing attackers’ free time within the network, getting to the root cause faster, and learning from each attack to reduce future risk.

The big question is: How can IT directors ensure that their analysts accomplish these things and, subsequently, pinpoint which threats they should be spending time on? There are five key tactics that will help directors improve their incident readiness and response and reduce risks early on, which they can then share with their analysts.

1. Clearly define analysts’ roles and responsibilities

If everyone in an IT department is a potential incident respondent, this can lead to no one having clear responsibilities, which potentially results in confusion, inconsistent processes, and no clear priorities. Worst of all, nobody may respond to an incident because they assume someone else is.

For an organisation to be at its most effective, roles and responsibilities should be clearly defined, and the management of security devices, incidents, and security data and analysis should be differentiated. Directors should deploy tiered and specialised staff with the flexibility to quickly ramp up their incident response teams.

2. Enhance training on avoiding advanced threats

One way of putting these teams to the test is for IT directors to improve training by conducting internal phishing attacks. Following on from this, organisations can then relay this information to their analysts and learn from how easy or hard it was for the attack to succeed. This can be an effective way to drive healthy competition and encourage attention and compliance by seeing which departments and teams can best see through an attack.

3. Formalise response processes and procedures

In security, as in so many other areas, ad-hoc efforts lead to ad-hoc results, which can leave dangerous gaps in an organisation’s defences. Predefined, monitored, and enforced workflows help ensure accountability and consistency and can be more easily tracked to improve an organisation’s security posture over time.

4. Improve formalised incident response tracking/workflow

It can be very difficult to provide governance or properly track how analysts are handling incidents, and whether the process is improving over time. A more effective system should be highly customisable to drive an organisation’s incident response process from alert collection to incident creation and escalation through triage containment, analysis, and remediation. Such a tool should integrate with other security platforms to automatically create tickets based on alerts from them. It should also allow the organisation to apply custom prioritisation/severity ratings to incidents, and to enrich tickets with internal data such as asset information and criticality ratings, as well as external data such as domain and blacklist information. The tool should also allow the organisation to adjust the priority ratings based on new data about risks and vulnerabilities.

5. Focus on Cyber Threat Intelligence

To move beyond simply reacting to new threats, organisations need an early warning system so they can take appropriate actions against even the most sophisticated threats. Cyber threat intelligence can help security professionals identify potential threats more quickly.

Because security breaches cause massive damage to organisations’ reputations and bottom lines, an IT department demands consistent, measurable improvements in security response over time. Fine-tuned people, processes, and technology can limit the damage quickly when a security incident occurs. Getting ahead of, rather than just responding to, security threats turns the security staff from reactive first respondents to strategic partners in the long-term health of the enterprise and this can be achieved.

The above procedures are a must-have for organisations in the fight against the growing sophistication of cyber threats. It’s imperative that organisations are proactive. Cyber criminals like to stay on the cutting edge and security analysts must stay right on that edge with them in order to protect sensitive data.

Colby DeRodeff, ThreatStream

Image source: Shutterstock/GiDesign