Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The CNN Factor Adds More Complexity to Security Operations

Security Teams Need the Ability to Collaborate and Coordinate to Make Better Use of the Talent and Data They Already Have

Security Teams Need the Ability to Collaborate and Coordinate to Make Better Use of the Talent and Data They Already Have

We all know that security teams are drowning in a sea of alerts, largely driven by a defense-in-depth strategy with layers of protection that aren’t integrated and create a massive amount of logs and events. If you need further evidence, Cisco’s 2018 Annual Cybersecurity Report (PDF) found that among organizations using 50+ vendors, 55 percent say orchestrating security alerts is very challenging and for those with 21-50 vendors, 43 percent are struggling. The result? On average, 44 percent of alerts are not investigated and of those investigated and deemed legitimate, nearly half (49 percent) go un-remediated!

Compound that reality with the “CNN Factor” – global cyberattacks that garner widespread interest and trigger calls from management – and you’ve got a situation that is quickly becoming untenable. It isn’t sufficient for security teams to prevent, detect and respond to attacks. Security teams also must be able to proactively investigate and understand what the latest, large-scale cyber campaign means to their organization. 

Yet Cisco’s study finds, “One reason [alerts go un-remediated] appears to be the lack of headcount and trained personnel who can facilitate the demand to investigate all alerts.” So how can security teams handle the fallout from the headlines along with their daily list of “to-dos?” They need a force multiplier – the ability to collaborate and coordinate to make better use of the talent and data they already have. This will not only help them respond more effectively and efficiently to alerts, but also address the inevitable flurry of questions every time a large-scale attack happens and take action as needed. 

Collaborate. It isn’t just security tools that are siloed, security teams typically operate in silos as well and that includes all the members of your threat intelligence program – threat intelligence analysts, security operations centers (SOCs) and incident handlers, to name a few. When one team member researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. But what if someone else in threat operations, conducting a separate investigation, could have benefitted from that work? Without the ability to collaborate as part of the workflow, key commonalities are missed so investigations take longer or hit a dead end. 

What’s needed is a single, shared environment that fuses together threat data, evidence and users, so that all team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. This embeds collaboration into the investigation process. Even in global organizations, with security teams spread around the world, collaboration is possible.

Coordinate. Now that teams have collaboratively investigated an event, an alert or the latest threat in the news cycle, the next step is to take action. Best case, they’re reporting back to management that the organization is prepared to withstand an attack or are successfully responding to an incident. Otherwise, they need the ability to coordinate the right actions faster, so they can report that they’re taking steps to mitigate risk. The challenge here is that most threat operations or investigations are rife with chaos as teams act independently and inefficiently. 

A single, shared environment where managers of all the security teams can see the analysis unfolding, allows them to coordinate tasks between teams and monitor timelines and results. Teams work faster and more effectively to mitigate risk. And when response activities take longer than a typical workday, coordinated efforts can continue. For example, actions taken by a team in New York can be picked-up seamlessly by the next team on duty in Sydney.

Making better use of the resources you already have by working from the same set of threat data and coordinating all your teams for collaborative investigation and response just makes sense. It helps security teams overcome a long-time challenge of alert overload, and it allows them to better respond to added pressures when threats make headline news and ripple through the executive suite. 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.