3 Challenges That Prevent Faster Mean Time to Remediation

Originally published by Dazz.

Written by Amit Ripshtos, Tech Lead, Dazz.

According to Gartner, 99% of cloud security breaches in the next three years will be caused by preventable misconfigurations and coding mistakes. That’s why your company probably has, over the past few years, been installing vulnerability-detection tools with abandon. But that too may be a problem: You may now have a security architecture in which alert overload and alert fatigue are the norm.

Perhaps you were so worried that you might miss some control gap in your cloud-based or hybrid network infrastructure that you deployed an assortment of detection tools whose defenses overlap. If so, then a single event might trigger hundreds, or even thousands, of alerts from many different tools—with none of the tools offering adequate context on the cause of the alert or the issues that matter to your business.

You’re responsible for responding to these alerts, but that means facing a torrent of information every day and spending a significant amount of your time simply triaging threats. This reduces your bandwidth to tackle bigger-picture questions of network and security strategy. It also creates inefficiencies in threat detection and response that may actually extend median time to repair (MTTR), rather than shrinking it.

For companies stuck in alert overload, three key challenges tend to reduce your effectiveness and extend MTTR:

1. Processes to uncover root causes are slow and manual.

When you are inundated with alerts, correlating those alerts with one another requires a great deal of manual effort, which necessarily slows down your response. So does spending time trying to understand which alerts are false positives. For example, a backlog of thousands of alerts may all derive from a single root cause, and fixing that root-cause issue may solve the entire problem. However, if you have to analyze each alert individually to determine whether it is a false positive and what root causes underlie it, reaching these conclusions can be tedious and slow—and that’s before you even begin to come up with a solution. This environment can substantially increase MTTR and reduce your company’s ability to defend itself against emerging threats.

2. You may not be able to effectively prioritize threats.

If you’re trying to triage a huge number of alerts every day, you may not necessarily make good decisions around prioritizing risk mitigation. The sheer volume of information you must wade through might dramatically reduce visibility into the actual underlying problems, so the most important issues may not end up at the top of the list of fixes that you hand off to dev.

3. You don’t know who is responsible for what code.

The speed and agility of cloud container technologies enable software development teams to spin up applications faster than ever before. This is great for organizational agility and for meeting customer needs as quickly as possible. It is not great for threat remediation, as your security team may lack visibility into which developer made what change to the code base when an application was developed or updated. In fact, some internally built tools may have capabilities that you don’t even know about. When a threat is hovering over the corporate environment, the last thing you need to be spending time on is tracking down which developer is responsible for the affected code.