Why situation rooms hold the key to dealing with a data breach
You can imagine a scene in an action movie where the president is briefed on an ongoing incident, surrounded by generals, and chiefs of staff. Each in turn describe parts of the event, while the president asks questions and directs actions until the incident is over or a decisive move is made to combat the foe. What you can picture is called a situation room.
In fact, the situation room is based in reality. Being created in 1961, such a room brings together the right people and information to allow White House staff to be appraised of significant events. Wouldn’t it be a good idea if something similar was available when an organisation is suffering from a security breach?
Getting the right data together
Cybersecurity is all about quicker detection of a security breach. The industry is moving toward reducing MTTD (mean time to detection) and MTTR (mean time to respond) through automation. However, being fastest isn’t the be-all and end-all. When a security breach occurs, the right response to a data breach is far better than a rushed response. With an instant response, there is a lot of chaos and not much time to digest every piece of information. They can also be myopic by not taking into account what else is going on.
There are millions of data points that can be ingested by modern security systems but working through what information is relevant and what response is appropriate can take time. Many security analysts may work on different data points to understand their part. But that can be a minor part, and not that helpful if studied out of context with the larger issue at hand. A narrow view will miss a common thread running through these data points.
Responding quicker means the need for collaboration has never been greater.
Getting the right people together
Breaking analysts out of their respective silos is the key to decreasing response times. The common siloed approach to dealing with breaches means an inability to share intelligence and makes things generally much less efficient than they could be. Collaboration is the way forward in many spheres of an organisation’s life in order to meet business goals and drive growth. Cybersecurity is no different. Getting the relevant people together when a cyber-attack happens is crucial to how successfully that attack is dealt with. It is not just a case of having the right people in the room or on a conference call. That in itself helps a great deal, but all participants need to get an idea of what the problem is, where the evidence is, what is being done, and by whom.
Seeing the bigger picture
The good news is that here at ThreatQuotient we have just launched such a platform to enable the relevant people to see what is going on and make the right decisions, faster. ThreatQ Investigations is a platform that helps to enable responses to be determined and acted upon faster than previously done. It allows a visual representation of different components of a cyber attack to be easily digested by users and makes the situation easier to work through, the equivalent of your very own situation room.
It helps an organisation focus on various aspects of an investigation without being inundated with lots of detail. Users can pivot through vast amounts of data to strengthen detection. The platform can overlay threat data with who is working on what. This can then build up relationships between data points in order to create vital intelligence. With the threat detected and analysed correctly, security teams can then assign the relevant members to investigate and work on different parts of the analysis. They can be assigned tasks and deadlines to accelerate security operations.
All this can feed information back into the platform to enable the right responses to be determined and acted upon faster than previously possible.
Having such a platform in place is a very powerful way to give teams full and real-time visibility and interaction on an investigation they are working on. This means organisations can collaborate and coordinate actions that will decrease both mean time to detection and also mean time to respond. The right response is better than a quick response, but the right response carried out faster than ever before is even better.
[su_box title=”About Leon Ward” style=”noise” box_color=”#336588″][short_info id=’105358′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.