{"id":105412,"date":"2020-01-23T13:00:06","date_gmt":"2020-01-23T21:00:06","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=105412"},"modified":"2020-07-30T19:59:22","modified_gmt":"2020-07-31T02:59:22","slug":"cortex-secops-strategies","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/01\/cortex-secops-strategies\/","title":{"rendered":"3 SecOps Strategies To Enable Your Smart People To Focus on Smart Things"},"content":{"rendered":"

This blog is the third in a series based on our book, \u201cElements of Security Operations,\u201d a guide to building and optimizing effective and scalable security operations. <\/span><\/i>Download a free copy today<\/span><\/i><\/a>.\u00a0<\/span><\/i><\/p>\n

\"This<\/p>\n

Presumably, you hire smart people because you want them to spend their time doing smart things. But what happens when your processes are broken, outdated, poorly defined or unscalable? Your talented employees are forced to waste energy overcoming these challenges rather than spending it on the activities for which they provide unique value. The key to solving these problems is implementing better SecOps strategies.<\/span><\/p>\n

This is a pervasive challenge in the average enterprise security operations center (SOC), where alert-generating security tools have multiplied way too fast for anyone to meaningfully integrate them, while at the same time threats have gotten more sophisticated and harder to detect. Analysts toil away to manually identify, validate and remediate an endless flow of alerts. This is not maximizing their job satisfaction, their efficiency nor their overall impact on your security posture.\u00a0<\/span><\/p>\n

Here\u2019s what the typical SecOps analyst time allocation looks like today relative to the ideal state:<\/span><\/p>\n

\"Incident<\/span><\/div><\/p>\n

The majority of an analyst\u2019s time is spent weeding through false positives and low-fidelity alerts to identify and triage malicious threats. A lot of time is also spent in threat mitigation. Some of this is due to a lack of automation. Other difficulties are introduced by inefficient interfaces with teams and tools outside of the security operations organization that need to be involved in halting the attack. Proportionally little time is spent actually investigating the root cause and impact of a confirmed security incident, and even less time is spent on operational improvement. These latter two areas are where human analysis is most important, and where your talented analysts can have the greatest impact.\u00a0<\/span><\/p>\n

 <\/p>\n

Smarter SecOps Strategies<\/span><\/h2>\n

Enterprises need to fix this. We need to let smart people do smart things. Here are three strategies to get you started:<\/span><\/p>\n

1. Focus on Prevention-Based Architecture.\u00a0<\/span><\/h4>\n

Preventing an attack outright is always the ultimate security outcome. Prevention architecture may exist outside of the SecOps function itself, but it affects the efficiency and efficacy of achieving the SOC mission. Without a prevention-based architecture, analysts can be overwhelmed with false-positives and low-fidelity data. This can result in detuning sensors and ignoring alerts. Analysts may begin to rush investigations or overlook making updates to controls, which amplifies the problem. A properly implemented prevention-based architecture ensures that machines are used for what they are good at \u2013 events \u2013 and people can focus on what they are good at \u2013 situations.<\/span><\/p>\n

A prevention-based architecture cuts down on the noise in the SOC and is comprised of:<\/span><\/p>\n