For those of you who'd rather dive right into the visuals, check out this example of how automated investigation with ExtraHop Reveal(x) compares to a standard multi-tool workflow in detecting, investigating, and averting a Brute Force Attack:
Now for some background. Security operations teams today nearly all suffer from alert fatigue, resulting from having too many tools firing alerts with a high percentage of false positives. A typical security investigation workflow today might require dozens of tools, including IDS/IPS, application and flow logs, SIEM, packet capture, firewall, UEBA, and any number of others.
Analysts are forced to manually gather the data from these tools and prioritize which alerts to follow up on, an impossible task when organizations get 5,000+ alerts per day. Alert overload means real threats slip through the cracks, leading to a 100+ day "dwell time" for undetected threats inside the network. That's when the bad guys do the most damage.
Furthermore, security teams are understaffed and overworked, leading to high turnover rates, low job satisfaction, and a job market where there are millions more open security jobs than there are qualified professionals.
ExtraHop Reveal(x) is not a panacea, but we built it specifically to address these challenges. Reveal(x) uses a detection system on top of the highest-fidelity data source available, the network, to eliminate false positives and only provide actionable notifications. By gathering data and conducting analytics ahead of time, Reveal(x) is able to automate many of the steps of a security investigation, providing unprecedented visibility, definitive insights, and immediate answers without burning out security pros.
More on Investigation Automation with Reveal(x)
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/automated-security-workflow-comparison-infographic/