Need For Speed: How Security ChatOps Helps SOCs Reduce MTTR

Feb 22, 2018
4 minutes

Welcome to our series on Security ChatOps and how it can help security teams perform better. Today, we’ll focus on how the seamless process of conversing with other analysts, running real-time security commands, and documenting all actions on the same window leads to speedier investigations and reduces overall MTTR.

Before ChatOps – Wading through quicksand 

ChatOps MTTR Slow Response Image

One of the most common gripes from security analysts is the time it takes to successfully respond to and close an incident. This slow speed stems from many reasons: the sheer number of alerts swamp analysts into submission, flitting between multiple security products leaves them in a daze, and working in silos deprives them of each other’s expertise. When each issue adds up, it’s like running a marathon with cemented boots.

These slow investigation processes are due to:

Conversations all over the place: When analysts get stuck during incident response and need help, they usually ask colleagues or (if it’s a general process) online message boards. These conversations get stored on email threads, Slack channels, ticketing chains, the internet, or simply get lost because they happen around the water-cooler.

Apart from the time it takes for analysts to refer to these various sources again during investigation, further time is wasted while collating all these sources for audit and compliance logs.

Stretched security product stacks: While investigating, analysts often need to use the multitude of security tools at their disposal. This might be for executing actions, collecting data, running queries, or a combination of all three. To coordinate among all these tools, analysts will have a plethora of tabs open and work on multiple screens, going to each product’s console to perform that product’s action.

This leads to needless dwell time, especially during longer investigations that necessitate the use of 10-15 security products. It also results in an increased possibility of human error as analysts are expected to perform repetitive tasks, copy paste results onto some central console, and keep a track of what information comes from each product.

These drawbacks exacerbate already present alert fatigue, increase analyst anxiety, and needlessly prolong investigations to put SLAs at risk.

After ChatOps – Arm that nitrous boost

ChatOps MTTR Fast Image

ChatOps solves all three problems mentioned above. A single window eliminates the need to jump between screens, the chat-based interface encourages analysts to share knowledge and work together, and these joint investigations directly lead to a reduction in alert volumes. Each second of downtime after a cyberattack can spell financial doom for organizations; in this race against time, ChatOps provides a much-needed nitrous boost.

Here's how ChatOps results in faster, more accurate investigations:

One spot to collect all conversations: If SOCs have a ChatOps tool enabled, analysts can converse with each other in that window to eliminate the need for multiple collaboration sources. ChatOps tools can also integrate with other messaging platforms like Slack, essentially mirroring conversations across screens and preventing tedious copy-paste exercises. Lastly, if there are any straggling comments left as emails, tickets, or even freestyle notes, all of those can be uploaded to the ChatOps tool for a central repository of analyst comments.

Run security commands across products: Rather than going to each security product’s screen, running the required commands, and transferring the answer back to some central database, ChatOps lets analysts run security commands in real-time from one console through a command-line interface. ChatOps tools have chatbots that ‘go to’ these products, run the commands, and get the results back to the (only) one window that analysts now inhabit instead of flitting between screens.

Apart from decreasing dwell time, this central execution of actions also results in increased accuracy of investigations. If analysts are less burdened with mundane tasks, they’re less likely to fall prey to human error.

What other benefits do you think stem from the increased agility afforded by Security ChatOps? Leave a comment below and let’s start a conversation!

If you’re interested in learning more about Security ChatOps, we invite you to sign up for our Free Community Edition.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.