For some reason, many organizations use an approach to security operations and incident response workflow that resembles the car journey above. Many parts of the organization remain "dark" and invisible to the security team. Alerts stream into the work queue at breakneck pace without any efficient way to qualify or prioritize them. Detection mechanisms struggle to identify activity of genuine interest without deluging the team with false positives. Investigation, analysis, and forensics of alerts, events, and activity of interest often proceed without much guidance and often fail to converge to a meaningful conclusion.
Not all organizations struggle with these issues. But, even in 2017, a surprising number still do. I think we can all agree that approaching security in this manner is sub-optimal. But what can an organization do to approach security in a more logical manner? Flip the alert funnel.
What Does It Mean to "Flip The Funnel?"
Flipping the alert funnel requires changing the way we think about security operations and incident response workflow. This means turning the detect->investigate->respond workflow on its head. Instead of generating a slew of alerts and then attempting to prioritize them, we do the opposite. We identify, classify, and prioritize our own assets and data first. Only then do we look to generate a prioritized, orderly queue of alerts. One that allows analysts to vet, qualify, and investigate the most important activity first, rather than last or never.
Of course, before we can flip the funnel, we need complete visibility across the entire enterprise and a classified and prioritized inventory of assets. Only then can we identify which assets and data are the most sensitive and critical to our respective organizations. Once we do that, we can develop content and logic to produce reliable, high-fidelity, prioritized alerts.
The result of flipping the funnel is that we are alerted to the activity that we are the most concerned about, or that is likely to have the greatest impact first. We don't miss or ignore less critical activity of course, as we still remain aware of it. We merely prioritize our workflow before it hits the alert queue, rather than trying to do so afterwards.
Automated Threat Investigations in the Flipped Funnel
The process outlined above makes the rest of the detect->investigate->respond workflow far smoother as well. How so? Investigation automation. Even accurate, well-prioritized alerts are only one small piece of the puzzle. To understand the narrative around the alert requires investigation. And understanding the narrative around the alert is the key to timely and accurate response. Traditionally, investigation has been performed manually for each alert, which can take a tremendous amount of time. Sometimes days or weeks. With the alert volumes most organizations see on a daily basis, this just isn't a scalable or workable model.
When we flip the funnel, our entire investigative journey is different because we begin the investigative process with far more background information around what we are dealing with. We understand from the beginning how each alert relates to the risks and threats against the assets we're most concerned about. In addition, flipping the funnel also automates several parts of the investigative process, providing us with important contextual information at alert time. This contextual information guides our investigation, allowing us to converge to a meaningful conclusion far more quickly and efficiently. Naturally, the response process benefits from this context as well.
For two decades, security teams have been swimming against the current. Alert fatigue, lack of prioritization, and lack of investigative clarity have hindered security operations.
Flipping the funnel allows security teams to prioritize where they want to go, and subsequently find the most efficient and effective route for that journey.
Read Josh's first post: "Why I'm Excited to Be An Adviser For ExtraHop"