Secdo Blog

Break the IR Bottleneck

With all of the focus on threat detection technology, it’s not surprising that incident response, which is primarily handled by human experts, is becoming the new bottleneck. In his recent article, John Oltsik at ESG shared statistics that at 27% of enterprises, at least 50% of incident response time is spent on manual processes – and an overwhelming 93% believe that their incident response efficiency and effectiveness is limited by the time and effort required for manual processes.

To address the problem, a growing number of vendors are developing incident response solutions. Their primary focus is on orchestrating the repetitive components of incident response through system integration. This has the double benefit of saving time that could be better spent elsewhere, and enforcing best practices on the level of the organization and the industry as a whole.

But we think that process automation, while important, is not the heart of the problem. There is a reason why incident response is the last part of the cyber ecosystem to be addressed with technology – it’s the hardest. It’s the place where routine inquiries and operations are not enough. It’s the place where, once the automated prevention and detection technologies have done their best, questions go to find answers.

Getting to the bottom of an incident is a complex process. True, a lot of time is spent simply on gathering information, finding out the full context in terms of endpoint and server activity, network connections, data accessed, and so on. Much of this can and should be automated, ideally through continuous recording and data collection on every endpoint and server, and sometimes the network as well. But the next step – finding the connections between the data points in order to construct the attack chain and the subsequent scope and consequences of the infection – require creativity, skill, and time.

The experts who can perform this kind of incident investigation are in short supply. We repeatedly hear from customers that they are delaying deployment of new security products, not because they don’t believe they will work, but because they don’t have enough experts to operate them.

That’s why at SECDO we are going a step beyond process orchestration to address the tough analytics that are only performed by Tier 2 and Tier 3 analysts in the SOC. SECDO continuously collects the most granular information about OS-level endpoint and server activity, and correlates it with alerts from the SIEM and threat intelligence databases. So there is no need to start automating data collection processes retroactively.

Using unique Causality Analytics algorithms, SECDO identifies the chain of events connected to every suspicious behavior, alert or lead. With SECDO, any IT professional can instantly visualize the forensic timeline that reveals all of the key information – such as processes, connections, files, alerts, and endpoint behaviors – behind any event. The result is that no alert goes unchecked. No early warning signs are ignored. And the experts are available to handle the most sensitive cases.

See for yourself. Contact us to schedule a demo of the SECDO platform today.