In many case it’s turning out that the only thing uglier than the malware organizations are being plagued with may very well be the way they respond to those attacks. Two separate studies published this week suggest there’s a lot of room for improvement in terms of how organizations go about investigating and responding to a potential security breach.Both studies suggest that SIEM platforms are seriously flawed. While it’s important to have something that functions as a system of record for tracking and analyzing security breaches, SIEM platforms wind u generating massive amounts of alerts that each need to be investigated. Inevitably, IT security fatigue sets in as the IT organization become inured to those alerts. Of course, lost in that steady stream on alerts is the warning that a major IT security incident is in fact in progress; assuming, of course, the organization can find and then afford to hire someone with the expertise needed to make sense of those alerts in the first place. Before too long the IT organization is left trying to explain to the board that despite the investments made in IT security there was still as security breach that inflicted hundreds of thousands of dollars in damage.
To break that vicious IT security cycle IT organizations clearly need to be able to quickly triage alerts as part on a well-defined incident response plan. That plan needs to provide a strategy for containing potential threats in a way that is least disruptive to the business as possible. It’s simply not practical for most organizations to isolate multiple systems that might be infected multiple times a day. When malware is discovered, however, IT organizations need to be able to first determine the severity of the threat. That determination will then dictate a more informed response that minimizes disruption to the business.