As you can see below, we have written a lot of research over the years, and it would be handy to have a roadmap for the readers. This is especially useful for organizations that are in the phase of “OMG WHAT TO DO WITH ALL THIS CYBER?” phase of their security journey (which, BTW, is not that rare even in 2019 … yes, really!). So, Gartner GTP has a document type called a Solution Path that delivers just that!
Here is our “Solution Path for Implementing Threat Detection and Incident Response.” (Gartner GTP access required).
In the abstract, we say: “Increased complexity and frequency of attacks, along with historical overreliance on preventative controls, elevate the need for detection and incident response capabilities. This Solution Path helps technical professionals evolve the processes, tools and skills for performing these activities.”
My favorite quotes are below:
- “Detection technologies such as SIEM, EDR and NTA are effective only when use cases are appropriately defined, implemented and tuned. A process to manage security monitoring use cases is a prerequisite for the success of any detection capability.” [A.C. – naturally, the process is very light-weight for those just starting up]
- “Security architectures have evolved from a strong focus on preventative capabilities to a more balanced approach covering prevention, detection, response and prediction capabilities.The balanced approach recognizes that it is impossible to stop all attacks, and that detection and response must work efficiently to reduce the harm from successful attacks.” [A.C. – now, this is painfully obvious to you, my esteemed reader, but I assure you – this is NEW INSIGHT for a wide swath of IT organizations out there in the real world]
- “To start, Gartner recommends using your own security incident history, security incidents of your peers and regulatory pressure to justify initiating your detection and response effort.” [A.C. – as I pathetically whined before, we have seen examples where past incidents AT THEIR OWN organization were insufficient to motivate security improvements. In this fringe case, I suspect nothing will help until this org is literally hacked out of business]
- “Organizations must ensure that technology deployment keeps pace with growth in operational practice maturity.” [A.C. – what pithy things I can say here? 🙂 This one is kinda a big deal!”]
- ”Every threat detection and response practice requires at least basic, human-led alert triage processes to be in place.”
- “Whether it is a standing computer incident response team (CIRT) of 30 people or a single part-time responder, having a dedicated point of contact and, hopefully, a center of excellence for security incident response is essential today.”
- “Many organizations will never check if the security controls they put in place are actually working as intended. This approach does not work well today — in fact, it never really did.”
Other posts announcing paper publication:
- All My Research Published in 2018
- Our 2018 Update for “Endpoint Detection and Response Architecture and Operations Practices” Publishes
- Our “How to Operate and Evolve a SIEM Solution” Publishes
- Our “How to Architect and Deploy a SIEM Solution” Publishes
- Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes