Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

What Family Harmony and Reducing Time to Containment Have in Common

Most Organizations Have More Intelligence Than They Know What to do With..

Most Organizations Have More Intelligence Than They Know What to do With..

We’re finishing up the holiday season and at this point most of us have spent more time than usual at family gatherings. Let’s be honest, while often enjoyable, they can also be trying. Depending on who is in attendance, the location and duration of the event and the occasion, we resort to avoidance techniques like going for frequent walks around the block, dodging certain topics of discussion, taking deep breaths, staying in a hotel or some combination. By understanding as much as we can about those who will be at a specific family event, we can make better decisions about how to approach it. We turn to methods that have worked in the past to decrease the stress and maintain family harmony. 

If you think about it from the perspective of a security professional, the same basic process applies to containing security incidents. It’s all about situational understanding and experience. In security, we enrich data with context for a deeper understanding of an event and apply learnings to limit or stop damage. But how fast and effective are our containment efforts, and how could we do better?

According to the 2018 SANS Incident Response Survey published in October 2018, 40 percent of organizations take more than a day to respond to incidents. We all know that by then much of the damage is likely done as exfiltration is typically measured in minutes and hours. Perhaps more troubling, 44 percent report that they have been breached by the same threat actor at least twice, with 34 percent saying either the same or similar tactics, techniques and procedures (TTPs) were used. The remainder state that different TTPs were used, but they may have limited visibility and missed certain indicators the first time.  

These gaps aren’t due to a lack of intelligence. Most organizations have more intelligence than they know what to do with. They have multiple external threat data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each individual product within their layers of defense has its own intelligence in the form of log and event data. 

What’s lacking is a way to aggregate all this data in one manageable location where it can be translated into a uniform format for analysis and action. You also need the ability to augment and enrich this data automatically with internal intelligence – alerts, events and associated indicators from inside your environment for context. This provides understanding of the who, what, where, when, why and how of an attack, so you can prioritize and take the right actions faster.

Internal intelligence also comes in the form of human intelligence, not just data and alerts. Human intelligence provides an opportunity for intuition and learning. And if we collaborate, the learnings can be better and faster versus recreating the wheel. In the security world, if security operations center (SOC) analysts and the incident response (IR) team work together, we all can get better.  Add to that collaboration with other teams and there is a multiplier effect. The challenge is that most security operations and response efforts are rife with chaos as teams act independently and inefficiently using siloed technologies. 

What’s needed is a single shared environment that fuses together threat data, evidence, actions and users in real time so that teams can collaborate. Everything is documented and remains a resource for future reference. The IR team can see what has been done in the past when faced with a similar threat, and can use that knowledge and experience to contain and remediate faster. 

Such an environment also allows the IR team to respond more comprehensively. When new vulnerabilities or indicators associated with a specific threat actor or campaign are discovered, they are added to the environment. As the IR team investigates an incident and works on a response, they can incorporate new knowledge of related indicators. With visibility into more TTPs, the IR team can identify threat actor data with greater confidence and scope, contain and remediate more thoroughly to prevent repeat attacks.

We dig deep to keep harmony in the family. Chances are we have the same depth of resources available to dig deep in security, reducing time to containment and repeat breaches. We just need to tap into those resources – our universe of external and internal intelligence – and make them accessible across teams, so we can bridge gaps and share learnings for faster, more comprehensive containment.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.