Organizations have long sought to reduce their data breach detection time and increase their ability to mitigate breaches more quickly.
But one challenge related to using security information and event management tools has been the signal-to-noise ratio. "There's a fine line between malicious and suspicious," says James Carder, CISO and vice president of LogRhythm. And the better that tools can distinguish between the two, the easier it is for security analysts to focus on and investigate only events that are likely to be malicious.
To help, Carder says, organizations should consider using "threat lifecycle management platforms" that incorporate behavioral analytics, case management and security automation and orchestration to provide a better big-picture look at security events. "The more you can automate, and the more you can embed that workflow into your business processes, every CISO is going to reduce that time to detect and respond ... and that's really what the focus is today on SIEM," he says.
But he says it's also important for organizations to ensure they create baselines of what normal behaviors and workflows look like inside their own organization so they can flag any deviations from those patterns, which will be inherently suspicious. "Your own data is probably your best source of threat intel," he says.
In an audio interview at RSA Conference 2017 in San Francisco, Carder also discusses:
- The need for every organization to have an incident response plan - including a breach notification strategy - and to practice it;
- Advances in user behavior analytics and machine learning that help cut down on breach detection and response time;
- Threat intelligence best practices.
Before joining LogRhythm, Carder was the director of security informatics at Mayo Clinic. Prior to that, he served as a senior manager at Mandiant, where he led professional services and incident response engagements.