One of the new ideas we had for a 2019 research paper is something clients often (well, often–ish) ask about: what to do if you encounter a particular threat or a type of an incident? A sort of a playbook for confirmation, investigation and response to a particular threat type.
Naturally, most threats in real life would be relatively mundane and – here I will make a faux pas and call “a threat actor” a threat – not of the “OMG I MET A GOTHIC PANDA IN A DARK ALLEY” variety. You know, of the non-targeted / non-APT variety. So the list of the situations is finite and easily enumerable.
Now, admittedly SOAR vendors are doing this, with modicum of success. But even their playbooks suffer from the below problem and few if any are truly usable without changes.
I. Such a project is realistic [but useless] at a high level of abstraction.
II. Such a project is likely unrealistic at a low level of abstraction since most people use different tools.
- Receive an indication of malware
- Confirm indication
- Remove malware.
- <eh? this is a waste of time!>
Now, choice #II
- See an alert in your SIEM (brand A) that says <this>
- Look at the field called <that>
- Use this EDR tool (brand B) that can …
- <loses patience, realizes the futility of this and leaves>
I’ve utilized the above logic as an excuse to not try it. However, organizations that are only starting their security operations, detection and response journeys are asking for it more and more.
- Do you think this is worth doing?
- Do you think this is actually doable?
Vaguely related posts:
Read Complimentary Relevant Research
2019 Planning Guide Overview: Architecting Your Digital Ecosystem
Technical professionals are confronting increasingly complex technology ecosystems. They must overcome this complexity to create solutions...
View Relevant Webinars
The Top 10 Basic Changes Needed for GDPR Compliance
The EU General Data Protection Regulation (GDPR) hovers over organizations like the sword of Damocles, with fines theoretically at an...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.