Running in Sand: How to Avoid Getting Stuck at the Onboarding Stage

Running in Sand: How to Avoid Getting Stuck at the Onboarding Stage

Often, when we speak of onboarding in a cybersecurity context, we use an identity management lens. However, this isn’t the only lens we can or should use. In fact, onboarding and using response tools to facilitate it proves an essential topic for businesses. 

As such, we present this article by Sivan Omer of empow, who describes how onboarding, response, and XDR all interconnect. 

Running in Sand. How to Avoid Getting stuck at the Onboarding Stage with Response Tools

By Sivan Omer, Director of Product Management, empow

Response is all that everyone seems to be talking about in the cybersecurity arena these days, specifically automated response. Security Orchestration, Automation, and Response (SOAR) tools are being bought up by Security information and event management (SIEM) vendors, while Extended Detection and Response (XDR) solutions are popping up like mushrooms after the rain

So, what about XDR? Is it indeed shaping up to be the best choice for automated response? Vendors today seem to be big on promises but still quite low on performance and innovative technology.

The Onboarding Bottleneck in Response Tools 

We recently asked security professionals (and a shout-out to Kate at SecurityBrew for the survey) how long it typically takes them to [conduct an] onboard response. Over 50 percent of respondents said it took them over 4 months, and only 6 percent were able to do so in less than a month. How can that be in this day and age where 30 seconds is a long time?

The fault lays in the way vendors approach response playbooks. A predefined playbook needs the SOC team to adapt it according to the needs and requirements of the organization. It is a cookbook with explicit directions and static instructions that attempts to define best practices. This task can only be successfully undertaken by skilled cybersecurity specialists who specialize in cyber threats and incident response and are also familiar with their organization’s network topology and policies. The shortage of skilled security analysts in the market, and the complexity of this task, means that even if you buy the best response tool out there, it will be months before you will see real value from it.

Not only that, but every time you need to integrate a new tool (Email Protection, EDR, TI, etc.), or update the playbook policy to support additional use cases, things start all over again – configuration, manual playbook writing… the lot. It’s like running in the sand – very tiring and not a lot of fun.

The cybersecurity world is extremely dynamic. Anyone – and any system – relying on static playbooks will likely be left behind, trying to clean up the damage after a cyber-attack has already occurred. In all the stages of the cyber chain – from detection to prioritization, investigation to mitigation, remediation, and documentation of the whole process – proactivity should be used wherever possible. The only way to win this never-ending battle is through a dynamic and flexible cybersecurity platform.

What to Ask XDR Vendors

When selecting an XDR solution, the main thing to check is that the automation that is promised is not just a reposition of existing technology, but rather capabilities with substance, that will be able to run quickly, effectively, and autonomously. Here are some questions that can help you better assess XDR tools and vendors:

  1. How long does it typically take organizations to onboard your response tool?
  2. How much manual configuration is required on the part of the analyst to onboard the response tools?
  3. How much time and effort is required to integrate it with new applications?
  4. What specific tasks are automated, and which still require manual configuration?
  5. What automation algorithms form the backbone of the solution (look for technologies such as Artificial Intelligence (AI), Natural Language Processing (NLP), Belief and Bayesian Networks (BBN) algorithms, User Entity Behavior (UEBA), Network Traffic Analysis (NTA), and Threat Intelligence (TI) engines).
  6. Can the playbook run on an “entity” (which includes multiple threat types), or on an “attack campaign” (which can include multiple entities and risk as part of the same campaign) at once, rather than per alert?
  7. Does the playbook adapt to the context of attack that triggers it, beyond the statically defined rules in the playbook?
  8. Does the playbook include preventive response actions?

Getting concrete answers to these questions will take you past empty promises and weed out the response tools that can bring you real value, from the rest of the field.

Sivan Omer of empow for this article. To learn more, check out the Solutions Review Buyer’s Guide for SIEM or for SOAR. You can also register for an upcoming Jan.26th webinar hosted by empow. 

Ben Canner