Security policy setting and security operations (SecOps) have traditionally been separate entities within an organization. The lines between the two are blurring, however. True security posture is now a matter of how efficiently and accurately SecOps can process threat alerts. Indeed, what good are policies and tools if SecOps incident response processes can’t match the pace of incoming threats? Organizations that cannot make SecOps productive enough to handle the flow of alerts will become more exposed to risk.
SecOps productivity is a major area of focus for Sam E. Buhrow, CISSP and Director of Cyber Incident Management & Forensics at Banner Health. Banner, the largest employer in Arizona, operates 491 medical facilities, including hospitals, learning campuses, urgent care facilities and more. At this size, the company presents an attractive target for hackers. Buhrow, part of a 70-person InfoSec team, is responsible for effective, timely responses to threat alerts. He has his hands full.
To avoid drowning in alerts and missing truly serious threats, Buhrow’s organization has established a workflow designed for efficiency. An outsourced Managed Security Services Provider (MSSP) performs the initial review of alerts and triages the according to policies that align with the NIST Cybersecurity Framework. This approach allows Banner to handle only significant alerts and actual security incidents.
“We have taken the time to recruit and hire very good people,” said Buhrow. “We want them to concentrate on threats that affect our business and regulatory compliance. We don’t want them getting burned out chasing false positives.”
Response automation also factors into Buhrow’s SecOps productivity strategy. His team has integrated OpenText EnCase with their ServiceNow ticketing system. When there’s an infected endpoint, for example, security analysts can trigger EnCase to preserve a “snapshot” of the endpoint for forensic review while simultaneously initiating an automated ticketing process. This saves time so team members can keep their eyes on the threat, not the digital paperwork.
Buhrow’s team has sandboxes where they can “explode” possible viruses. They can pull machines off the network and wipe them while using EnCase to devise a remediation for the threat. The team may then run the EnCase snapshot against tools like the open source Volatility, which analyzes the infected machine’s memory dump analysis.
Banner’s approach to using Volatility, reveals a sometimes hidden drag on team members’ time. “We love Volatility,” Buhrow noted. “But, it can be very time-consuming to keep Volatility up to date with configuration. It’s sensitive to updates on a lot of dependent systems. It’s work just to keep it up and running, but we may only use it once a week.”
To avoid tool maintenance routines like keeping Volatility running, Banner works with OpenText’s professional services arm, which maintains a ready-to-run instance of Volatility on Banner’s behalf. In addition to keeping Buhrow’s people away from mundane tasks, the quick availability of open source tools speeds up incident response.
OpenText has also been able to tune EnCase and related incident response tools to enable Buhrow’s senior team members to function as “incident commanders.” In this role, they can apply their extensive training to supervising junior analysts in more labor-intensive incident response tasks—making SecOps more productive and effective in the process. As SecOps productivity reaches this moment of criticality, Banner shows how security teams can leverage toolsets and professional services to become better defenders through increased efficiency.