A recent article in Network World by ESG's Jon Oltsik correctly called out the fact that Incident Response (IR) automation is becoming a very hot topic in the infosec world. In it, Oltsik calls out the multiple factors that are driving demand for IR automation and orchestration, including the manual nature of IR work, the cyber skills shortage, and the difficulty of coordinating activity between secops and devops.
Great companies are built on two major factors: compelling market need and innovative solutions. As we launch LogicHub, we aspire to be one of those great companies. So we want to begin by introducing you to the thinking and the technology on which we’ve founded the company.
The majority of security teams still rely on rules to detect threats. Typically, these teams have a central repository of security events and implement rules that create an alert when the condition within the rule matches. This rules-based technology has been in use for a number of years; and while Security Operations teams have come to rely on it for alerting, they are finding daily that it has several limitations.
While SIM and other security analytics products are able to detect and alert on “known” threats, they are ineffective at recognizing and alerting on threats that the system does not already know how to detect. (If you want to learn more about why that is, read Monica Jain’s blog, 5 Key limitations of doing Threat Detection with Rules)