Endpoint

8/3/2018
10:30 AM
Dario Forte
Dario Forte
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Reasons Why Companies Are Failing at Incident Response

When it comes to containing the business impacts of a security breach, proper planning is often the difference between success and failure.

The cybersecurity threat landscape continues to evolve and expose companies in all sectors to breaches. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. 

Not only are threats escalating in scope and sophistication, new smart technologies — particularly those leveraging the Internet of Things — can add fuel to the fires that security staff need to fight. These are often not fully tested for security flaws, which create hard-to-defend gaps for companies trying to proactively defend and protect their networks and assets.

Not only is prevention becoming increasingly difficult, but many organizations are also failing at incident response. Here are four main reasons why they struggle to detect, contain, and remediate threats.

Reason 1: Inadequate Resources
As the number and sophistication of threats have grown over the past decade, there has been an explosion in the number of security tools in the enterprise. Most create more work for security analysts — more monitoring, correlating, and responding to alerts. Analysts are forced to work between multiple platforms, manually gathering data from each source, then enriching and correlating that data. Limited security budgets — compounded by the fact that it is often easier to garner executive support for additional security applications than it is for additional employees — mean that most security teams must find innovative ways to do more without increasing staff levels. Intense competition for experienced analysts often forces companies to choose between hiring one highly skilled analyst or several junior ones.

Reason 2: Alert Overload
The number of security tools in the average company has greatly increased over the years to deal with the avalanche of threats. Even when alerts from these tools are centrally managed and correlated through a security information and even management system, the volume of alerts often overwhelms security teams. Each alert must be manually verified and triaged by an analyst. Then, after an alert is determined to be valid, it requires additional manual research and enrichment before any action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in. Any one of these simmering alerts can represent a window of opportunity for attackers until they are addressed.

Reason 3: Lack of Tribal Knowledge
Training new analysts takes time, especially when security processes are manual and complex. Even when highly documented procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization — something commonly referred to as tribal knowledge. The more manual and complex the security process, the longer it takes to transfer tribal knowledge.

Highly skilled analysts are extremely valuable resources. Each time a company loses a seasoned person, some tribal knowledge is lost — and incident response automatically suffers. While companies strive to retain at least one experienced analyst who can transfer tribal knowledge to new hires, they are not always successful in doing so.

Reason 4: Dearth of Measurement, Management Processes
Unlike other business units — which typically have concrete, proven processes for measuring the success or failure of a program — the security department often has metrics that are abstract and subjective. That's because traditional approaches for measuring return on investment are not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security program requires a measurement process specially designed to meet these unique requirements.

To complicate matters, security incidents are dynamic events that often involve many moving parts at the investigation, containment, and mitigation phases. Failing to correctly manage each step of the incident response process can result in exponential increases in loss and reputational damage to the organization. To best manage security incidents, companies need a documented, repeatable process that has been thoroughly tested and is well understood by all stakeholders.

To take back control and address these shortcomings, organizations should consider these three best practices.

Orchestration
Coordinate security tools and data sources into one seamless process, often called orchestration. Technology integrations are the most common method used to support technology orchestration. There are numerous methods, such as APIs, software development kits, and direct database connections, which can be used to integrate technologies such as endpoint detection and response, network detection and infrastructure, threat intelligence, IT service management, and account management.

Automation
Although the concepts of orchestration and automation are closely related, their goals are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching between security tools to support faster, more informed decision-making, automation is intended to reduce the time these processes through repeatable processes and applying machine learning to appropriate tasks. Typically, automation is utilized to increase the efficiency of the orchestrated technologies, processes, and people. The key to successful automation is the identification of predictable, repeatable processes that require minimal human intervention. 

Tactical and Strategic Measurement
Information to support tactical decisions typically consists of incident data, aimed at analysts and managers, which may include indicators of compromise, related events, assets, process status, and threat intelligence. This tactical information enables informed decision-making from incident triage and investigation, through containment and eradication.
Strategic information, on the other hand, typically is aimed at managers and executives and is used to make informed high-level decisions. Strategic information may include incident trends and statistics, associated costs, threat intelligence, and incident correlation. More-advanced security programs may also use strategic information to enable proactive threat hunting.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/3/2018 | 1:20:36 PM
5 - C-Suite IGNORANCE
Chairman of Equifax blamed their entire fiasco on ONE, JUST ONE, Tech who failed to apply an update. Refine moron level of executive.   And things will continue to go wrong indicative of this kindergarten level of knowledge.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.