The cybersecurity landscape is changing at breakneck pace. The expansion of attack surfaces has resulted in a constantly shifting digital warzone, ‘short tail’ threats now help attackers lay the groundwork for more malicious campaigns, and the percentage of malicious attachments in spam is increasing globally. Organizations need to adopt a newer, more evolved form of incident management and response in the face of these attack mechanisms.
Here, we shall lay out four predictions for how user needs from security incident management will change in 2018 and beyond.
Customization Is King
With such a wide variety of attack types, indicators, and mechanisms prevalent today, incident response with be-all and end-all standardization may no longer be the ideal option. An incident management platform with a base of standardization and added layers of user customization is likely to be preferred amidst unpredictable attacks.
Customization options can include incident response standards (NIST, SANS, CERT, or custom standards), incident types, incident field types, indicator types, indicator field types, and more. This balance between standardization and customization will provide users with an easy learning and acclimatizing curve while starting out with the product, while also enabling them to craft their own tailored incident management suite with time.
Always Be Learning
Analysts and SOC Mangers are so caught up with daily firefighting and moving from incident to incident that opportunities to learn from and improve upon IR processes remain unexplored. The incident management solutions of tomorrow will be intelligent enough to learn from analyst actions and provide actionable insights to improve both analyst-level and business-level response metrics.
For example, intelligent incident management solutions can suggest effective incident owners, analyst-task matches, commonly run security commands, and lean response procedures after studying a critical mass of similar incidents. This will ensure that SOCs keep sight of long-term improvements while also taking care of daily mitigation tasks.
To learn more about Demisto's incident management features, download the Demisto for Incident Management datasheet.
Everything Is Connected
Product proliferation is one of the main challenges facing SOCs today that is not a function of attackers. Analysts have to coordinate a vast security product suite while responding to incidents; this coordination involves repeated context and console switching that leads to ‘dead time’, shaving off vital seconds from incident response time.
In the coming years, incident management solutions that align strongly with other security functions will rise to the top of user needs. In particular, incident management solutions that can converge with threat intelligence functions and security orchestration capabilities will provide a one-stop console that analysts can leverage without dead time, thus streamlining response times and procedures.
As security becomes more pervasive across organizations, it becomes more necessary for solution providers to match organizational vagaries. The most pertinent among these vagaries is how an organization deploys its computing power. Companies may install some services on premise, have other services on the cloud, and isolate networks different business segments to maintain security and compliance.
For an incident management solution to be successfully deployed across an organization, it must be flexible in its deployment options. Solutions that offer on-premise, cloud, and hybrid deployments are likely to be preferred. In addition, solutions that have three layers of isolation (data, execution, and network) with multi-tenancy will be able to adapt to the widest range of organizational architectures.
If you’d like to share any of your predictions for and needs from incident management in 2018, please leave a comment and let’s start a discussion!
If you are new to Demisto and interested in exploring our incident management features (among others), we invite you to sign up for the Demisto Free Community Edition below.