Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Intel's Research Shows Collaboration Improves SecOps And Threat Mitigation

By - Source: Toms IT Pro
Tags :

A recent research report, conducted by Intel, shows that collaboration can have a significant positive impact on the effectiveness of an organization's security operations and threat management.

Taken at face value, the idea that collaboration among disparate security and IT teams improves responses to security threats appears incongruous. However, Intel's recent research, which included a survey of 565 security practitioners and decision makers worldwide, shows that team collaboration not only improves preparedness but also helps overcome skill shortages. Intel's report points out that collaboration can make a significant impact on the effectiveness in threat management.

The survey was conducted by an anonymous third party, whose message to survey participants was that their responses were being collected to better understand the market for advanced threat and incident management. Intel's report analyzing the survey's findings is available here.

MORE: A Guide To Intrusion Detection and Intrusion Prevention Systems (IDS/IPS)
MORE: A Guide To DDoS Detection And Attack Mitigation Tools

SecOps Optimization Through Collaboration

We spoke with Tory Campbell, CTO of Endpoint Security at Intel, and Barbara Kay, Director of Product Marketing for Intel Security and asked how much more effective would security be if there was good communication between security architects, engineers, analysts, incident response teams and endpoint specialists? Based on the survey, the prediction is that collaboration would lead to 38 to 100 percent improvement, and larger organizations predicted much bigger improvements. Collaboration on these events refers not just to analysts and Security Operations Center (SOC) personnel, but also endpoint administrators and network administrators.

Fig. 1. Survey results of organizational responsibility for six different areas of threat management.Fig. 1. Survey results of organizational responsibility for six different areas of threat management.

Intel first looked at who has responsibility for incidents, broken out by task, as shown in Figure 1. Later results showed that the most productive work occurred when there was collaboration between all parties involved.
Fig. 2. Incident response-related remote actions rated according to organizational importance.Fig. 2. Incident response-related remote actions rated according to organizational importance.
As the number of threats and incidents increase, lack of sufficient organizational resources becomes a huge challenge. Remote and automated operations significantly extend the ability to manage far flung resources. Figure 2 shows survey results of how organizations judge the importance of remote actions.

Automating Security

Intel also looked at automation of security-related tasks, and the SecOps teams' willingness to use it. Automation for well-defined, selective tasks has increased since a prior survey, which was conducted three years ago. The example given for full automation was a task such as clearing of cache or cookies, but cross product orchestration would be semi-automated, requiring the intervention of an analyst. 
Fig. 3. Survey results of permitted automation for each listed function.Fig. 3. Survey results of permitted automation for each listed function.
Previously, automation has not been utilized by many Incident Responders because of the critical nature of most investigations. Drivers to move towards accepting more automation for less critical, routine tasks include increased tool reliability and more assigned investigations. 

Use of advanced threat management tools led to a two fold increase in the number of investigations. This is a result of better visualization; more tools (within bounds) yields better detection, so the load on responders increases.

Fig.4. Time spent by survey participants on incident response activities. Fig.4. Time spent by survey participants on incident response activities. The most popular metrics used to measure progress after advanced threat and incident management (ATIM) deployment involve time: time to detect, time from detection to containment, and time from containment to remediation. 

Note that detection, containment, and remediation are nearly equal, but remediation takes slightly longer. One anomaly that was noted in Intel's report was Germany, which took, on average, only 5 to 10 hours for detection, half the average of other countries' time.

MORE: Security Information And Event Management Tools
MORE: 5 Security Best Practices Every IT Pro Needs To Know

Breaking New Ground In SecOps Effectiveness

Other key findings from the report include:

  • The average number of detection tools per organization was 4.
  • 1 out of 5 respondents reported using between 6 and 16 tools, which is more challenging, because with more tools there is a greater chance to miss an event. Data must be transferred between tools, creating an opportunity for lost information.
  • Those with only 1 to 2 tools also missed events, both because adequate processes weren't in place, and because of insufficient tool overlap.
  • On average, it takes 64 hours per security investigation, from detection to a return to health.
  • More than 4 out of 5 organizations either have deployed or are piloting an ATIM solution.

Organizational boundaries introduce natural barriers to collaboration, however proper tools can break through these boundaries. Siloed tools benefit no one in the threat management teams and thwart collaboration efforts. Used properly, ATIM tools may extend the opportunity for collaboration, improving SecOps effectiveness, as Intel's report illustrates.

In recent years, data science for security incidents has become big business. And scrutiny of all incident data means incorporating analysts and other professionals into the Observe, Orient, Decide, Act (OODA) loops. And new tools and techniques allow analysts to do that integration seamlessly.

Intel's research is able to break new ground because it seeks to understand how to measure, then improve incident response and threat mitigation in organizations. It helps make sense of data that cannot be clearly compared side by side, as no two security incidents are the same. And being able to show the impact of collaboration in these situations is really key. In IT security, much is driven by knowing what everyone on your team is doing, adapting ideas that work at other organizations and using best practices developed by leaders in the filed, like Intel. who utilize collected intelligence.

Collaboration connects people, processes, and technology across events, data, and systems. Since incident response and threat management is complex and involves multiple roles, collaboration may indeed improve execution and reduce errors through implementing workflows, scripts, and automation.