By taking an organized approach to addressing and managing the daily threats or the aftermath of a security breach, you can significantly decrease the amount of time spent on rework and waste. The goal should be to handle the situation in a way that limits damage and reduces recovery time and costs.
When the security operations team is small and staffed entirely by experienced analysts, which we like to refer to as a “small team of security ninjas,” a senior (or lead) analyst will typically review the security incident before they close it. This model provides an opportunity not only to verify that the individual incident work is completed correctly but to also look for patterns, such as excessive false positives, overloaded severities, or too many things classified as critical.
With a traditional security response team, the lead analyst will reject the security incident and send it back to be reworked. It could be sent back for different reasons: it may be something as simple as incomplete close notes, or it may be that the work wasn't completed as listed and the organization is still at risk. In either situation, work has to be done again, which costs the company a lot of time and money. Rework is something analysts with limited time can rarely afford to do.
But there is good news. Our customers are starting to report a 50 percent drop in security incidents sent back for rework. By using the organized, intentional approach we recommend, analysts are getting it right the first time – twice as often as they did before. This is possible because instead of fighting the tools, they have a system that flows with their process.
This alignment of tool and process flow, driven by priority outcomes, is a significant step forward in maximizing the effectiveness of the platform and ultimately achieving productive IT management. It’s just another reason to consider investing in an automated Security Incident Response system. Read more about our 7 Doctrines to Productive IT Management.
These Stories on ServiceNow