|    1-877-JESKELL     |

Jeskell Security Blitz: Security Gap #2 - No or Slow Workflow Plan

May 23, 2017 1:06:00 PM | Security

Work Flow on the Mechanism of Metal Gears..jpegAs threats increase and organizations rely more heavily on IT infrastructure, even a Security Information Event Manager (SIEM) may not be enough.  While a SIEM can tell you what’s happening, it can’t control responses.  Every organization is different, but many mature organizations still use manual processes in order to respond to and remediate incidents.


That manual process can be a binder under an incident responder’s desk or a service ticketing and workflow system that is painstakingly and expensively customized.  Neither of these methods is an efficient use of time, nor are they effective ways to respond to critical security threats.

Incident Response Platform - What It Is and Why You Need It
Moving to the next level of security proficiency requires an organization to leverage an Incident Response Platform (IRP).  Where a SIEM analyzes and informs, the IRP directs workflow and allows control.  An IRP depends on a SIEM to first generate an actionable security event.  When the SIEM triggers that event, the IRP automatically opens a workflow plan based on the incident characteristics and according to the Standing Operating Procedure (SOP) and any regulatory processes required by law.  All of these items do require configuration ahead of time, so there is an upfront time cost.  But that initial cost is dwarfed by the time saved in responding to security incidents.  IBM acquired Resilient, an IRP company, in 2016, but before they owned Resilient, they were a customer.  Before Resilient, IBM had an average of 25 days from the opening of a security incident through closure.  After implementing Resilient, that average dropped to 5 days.

IBM Resilient
Resilient is the only IRP that Jeskell currently recommends, because it is the only one on the market with the technical maturity to justify implementation.  It has bi-directional integration capabilities, which allow incident responders to not only complete workflow but control external systems during the workflow process.  So when a malicious attack comes in from an IP address, an incident responder can direct IPS devices to block the offending IP using the same Resilient screen that he’s viewing the report on.  Without an IRP, that same responder would have to populate a security ticket, review the information in the SIEM, and then access yet another UI to direct the IPS device to block the IP.

Benefits of Resilient
Resilient can provide centralized control, management visibility, and powerful collaboration tools, as well as keep audit trails.  It fills the gap between identifying and remediating and moves organizations from maturing to proficient security operations.

< Back to All

Joseph Swartz

Have a cyber security question? Ask me here:

Ask Joey

Categories

Security

Subscribe now to get our latest news