3 Signals Your Security Workflows Are Inefficient

Last updated at Thu, 11 Jan 2018 15:34:34 GMT

When valuable time is spent on mundane tasks, it means that there isn’t enough for strategic planning or timely response to security events and incidents. That’s how threats go unnoticed and vulnerabilities remain open for days, weeks, or months at a time. With the cost of a data breach averaging $4 million, this can’t be ignored.

Every security team worth its salt wants to:

• Prove their value by doing high-value and strategic work, and;
• Catch threats before they wreck havoc.

But bad workflows can make that impossible. To enable our security teams to succeed, we need to first reduce roadblocks. The best place to start? Identifying workflow inefficiencies.

Rooting out inefficiencies can help your organization save time and money, while also boosting speed to response. But first, those inefficiencies need to be found.

Here are three major signals that your security workflows are inefficient and in need of optimization:

1. People are Spending Significant Time on Repeatable Tasks

What tasks and workflows does your security team spend the most time on? Perhaps it’s performing file lookups and detonating malware, or investigating malicious attachments to detect a phishing attack.

Now ask yourself this: Could those tasks or workflows be performed automatically?

Any workflow that is common, repeatable, and doesn’t actually require human input is a good candidate for automation.

Repetitive and time-intensive tasks aren’t just inefficient. While your team may be reluctant  to admit it, mundane, repetitive tasks are not typically rewarding, either. Not only can they bore your team to the point of attrition (remember that talent shortage?), they’re not a good way to spend a valuable security pro’s time.

Repetitive tasks are also prone to a higher margin of error as employees become numb to the intricacies of a process and tune out the finer, yet critical, details. This can spell trouble when patching a vulnerability, tuning an alerting tool, or responding to myriad alerts — all routine tasks.

If a critical step is missed, a vulnerability can continue to linger and the doors can remain open to attackers.

By removing repeatable tasks from your employees’ plates, you empower them to focus on much more interesting work (rather than tasks that a machine can easily handle), which improves the accuracy of their work, and as a result, helps your organization get ahead of the curve.

2. Time-to-Response is Slow(www…)

If you’re not measuring your team’s time-to-response on a regular basis, start today. This can be a major indicator that something is wrong (or a confirmation that things are going well).

If over time you start to notice median TTR creeping up, examine your workflows for inefficiency and look for opportunities to automate.

Automation can both optimize workflows for efficiency (meaning your team can respond faster) and ensure nothing important falls between the cracks (meaning a much improved security posture). With automation, your team should be able to get ahead of security incidents, achieving a proactive (instead of reactive) security posture.

3. Alerts are Piling Up, or Slipping Through the Cracks

Alert fatigue is a serious issue in the security world today and requires serious attention.

The human brain only has the capacity to deeply analyze so many things in a day. So when alerts are flying in by the hundreds, imagine how quickly a security analyst’s concentration decreases as exhaustion sets in and it gets difficult to focus on each alert. Cognitive overload quickly sets in. This is why alerts can slip through the cracks.

Expensive and dangerous, alert fatigue needs to be addressed in every organization to reduce inefficiency and waste, and ultimately, the company’s security posture.

Automation can speed up the  process of triaging an alert (e.g. receive alert, conduct file lookups, enrich the alert with more data, and separate false positive from true positive), and take manual work out of the equation. That way, your most valuable resources can focus on only the alerts that really matter.

Course-Correcting Security Workflows

Often, workflows become deeply ingrained in the way a team functions and it becomes hard to imagine another way. In other cases, teams know that workflows need to be improved but simply don’t think they have the time to devote to it.

But so much time can be saved by optimizing workflows, and the benefits of doing so far outweigh the time spent getting there. Especially considering the extent of today’s security threats, security teams deserve the attention it requires to become more efficient and rewarding.

We encourage you to take a look at our latest eBook that highlights all of the best practices for security automation, compiled by our team of security veterans.

This ebook explains the kinds of security processes to automate, when to automate one, how to automate it, and when to add human analysis into the loop. We think it’s one of the most practical guides out there to security automation.