Increasing Flexibility and Capability of your IR Resources

Increasing Flexibility and Capability of your IR Resources

By Adam Meyer, Threat Analysis Advisor, King and Union

In the first two parts of our three part series highlighting key findings of the 2019 SANS Incident Response Survey, we discussed the need for both orchestration as well as some thoughts on better understanding the value that your IR process is potentially bringing to the table. In this post we will talk about something that is always a challenge…resources.

The SANS survey mentions that:

“Once again, a shortage of staffing and skills (57%) and a lack of budget for tools (48%) continue to reign as the key impediments to effective incident response. In fact, 57% of respondents identified staffing shortages and skills shortages as the primary impediment.”

This shouldn’t be a shock to anyone who has overseen any type of operational environment. This ongoing challenge is why there is such a heavy desire for industry investment in AI and ML technologies to try and take some of the burden off of the human workforce. As I mentioned in our first blog, you need to bring in expertise who can evaluate event data and prove it to be true or not. However, what we all know and that the SANS survey results reinforce, is that expertise is costly, in high demand, and depending on your geographic region, can also be difficult to find.

This basically translates into a situation where you have very large amounts of data to sift through, which needs to be evaluated in a timely manner, by a workforce that is costly, hard to find, and likely burned out. Contributing to the problem is the view in some organizations that staffing up in this area drains resources from other areas of the business that could be spent on efforts that show a more immediate value to decision makers.

It is not uncommon that organizations view security efforts as a cost center that sucks resources from those that generate value for the organization, such as product-oriented revenue centers. This is not a new problem, nor a problem that technology on its own will solve in the immediate future. However, technology can lighten the impact.

“How much capability do I get per dollar spent?”

This is a metric that I’ve often used when thinking about resources. As organizations rush to throw more funding at the next generation of tools, many are not in a position to leverage those tools to their full potential. Costs climb as they realize they’ve bitten off more than they can chew… usually by not having the expertise on hand to achieve full potential capability. From an IR/SOC perspective, this directly impacts what we have written about in past posts, the ability to (or inability) to compress the orient and decide aspects of OODA process. 

To combat these issues, some organizations have migrated to a “co-managed” style of SOC/IR operations. There are differing terms for this area whether it is MSSP, SOC-as-a-Service, or co-managed and certainly there is debate on what is value added and what is not.  For this example, however, I will focus on co-managed. In simple terms, a co-managed SOC/IR capability is where you own/have command and control of the monitoring gear and data and you outsource expertise to help you run it.

Avalon is built to support a co-managed style of operations. When an event occurs, a defender will need to determine if the event is true or not. If the event is true, then a case is opened and relevant internal and external data is brought into the collaboration space for analysis. Now depending on the event, you may or may not have expertise on staff do to a timely and detailed analysis of the event or have skillsets readily available to support response efforts. Do you have relationships with third party incident responders? Do you belong to entities such as Information Sharing and Analysis Centers (ISACs)? If you do, how quickly are you able to bring them into the situation? How do you share with them? How do they see the whole picture of what you are facing in an easy to collaborate platform? With the Avalon platform, you can easily create trusted users and bring this outside expertise into your organization to share information and collaborate on your investigations as needed.

If you don’t have these relationships in place, I highly suggest that you build them. From a business perspective, it may be significantly cheaper than hiring full-time staff to place multiple SOC/IR providers on a contract that is based on your terms and conditions and within your desired sharing needs, then only bringing them into the fold when you really require their expertise for particular events. This should provide you with more leverage in “getting more capability per dollar spent”  by redirecting resources that would have been used in keeping full-time staff in place that could be redirected to more higher impact efforts.

Now is always a good time to look at “how much capability do you get per dollar spent?” Where is your expertise? How does that collaboration happen? How are you managing your resources to be as effective and capable as possible? Whether you have some external expertise as a part of your team or if it is 100% internal, all events are “co-managed” in reality amongst groups. Avalon was built for this purpose – to enable teams to easily collaborate and share information, both across your own internal teams or with outside resources, such as ISACs or outside experts. Give it a look and see how it can increase the flexibility and capabilities of your SOC/IR program.

Click here to try Avalon free for 45 days and see for yourself how it can help you get the most out of your current resources. If you create an account by October 31st, you’ll even be entered to win a cool Rad Power Bike!