10:30 AM
Dario Forte
Dario Forte
Connect Directly
E-Mail vvv

4 Reasons Why Companies Are Failing at Incident Response

When it comes to containing the business impacts of a security breach, proper planning is often the difference between success and failure.

The cybersecurity threat landscape continues to evolve and expose companies in all sectors to breaches. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. 

Not only are threats escalating in scope and sophistication, new smart technologies — particularly those leveraging the Internet of Things — can add fuel to the fires that security staff need to fight. These are often not fully tested for security flaws, which create hard-to-defend gaps for companies trying to proactively defend and protect their networks and assets.

Not only is prevention becoming increasingly difficult, but many organizations are also failing at incident response. Here are four main reasons why they struggle to detect, contain, and remediate threats.

Reason 1: Inadequate Resources
As the number and sophistication of threats have grown over the past decade, there has been an explosion in the number of security tools in the enterprise. Most create more work for security analysts — more monitoring, correlating, and responding to alerts. Analysts are forced to work between multiple platforms, manually gathering data from each source, then enriching and correlating that data. Limited security budgets — compounded by the fact that it is often easier to garner executive support for additional security applications than it is for additional employees — mean that most security teams must find innovative ways to do more without increasing staff levels. Intense competition for experienced analysts often forces companies to choose between hiring one highly skilled analyst or several junior ones.

Reason 2: Alert Overload
The number of security tools in the average company has greatly increased over the years to deal with the avalanche of threats. Even when alerts from these tools are centrally managed and correlated through a security information and even management system, the volume of alerts often overwhelms security teams. Each alert must be manually verified and triaged by an analyst. Then, after an alert is determined to be valid, it requires additional manual research and enrichment before any action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in. Any one of these simmering alerts can represent a window of opportunity for attackers until they are addressed.

Reason 3: Lack of Tribal Knowledge
Training new analysts takes time, especially when security processes are manual and complex. Even when highly documented procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization — something commonly referred to as tribal knowledge. The more manual and complex the security process, the longer it takes to transfer tribal knowledge.

Highly skilled analysts are extremely valuable resources. Each time a company loses a seasoned person, some tribal knowledge is lost — and incident response automatically suffers. While companies strive to retain at least one experienced analyst who can transfer tribal knowledge to new hires, they are not always successful in doing so.

Reason 4: Dearth of Measurement, Management Processes
Unlike other business units — which typically have concrete, proven processes for measuring the success or failure of a program — the security department often has metrics that are abstract and subjective. That's because traditional approaches for measuring return on investment are not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security program requires a measurement process specially designed to meet these unique requirements.

To complicate matters, security incidents are dynamic events that often involve many moving parts at the investigation, containment, and mitigation phases. Failing to correctly manage each step of the incident response process can result in exponential increases in loss and reputational damage to the organization. To best manage security incidents, companies need a documented, repeatable process that has been thoroughly tested and is well understood by all stakeholders.

To take back control and address these shortcomings, organizations should consider these three best practices.

Coordinate security tools and data sources into one seamless process, often called orchestration. Technology integrations are the most common method used to support technology orchestration. There are numerous methods, such as APIs, software development kits, and direct database connections, which can be used to integrate technologies such as endpoint detection and response, network detection and infrastructure, threat intelligence, IT service management, and account management.

Although the concepts of orchestration and automation are closely related, their goals are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching between security tools to support faster, more informed decision-making, automation is intended to reduce the time these processes through repeatable processes and applying machine learning to appropriate tasks. Typically, automation is utilized to increase the efficiency of the orchestrated technologies, processes, and people. The key to successful automation is the identification of predictable, repeatable processes that require minimal human intervention. 

Tactical and Strategic Measurement
Information to support tactical decisions typically consists of incident data, aimed at analysts and managers, which may include indicators of compromise, related events, assets, process status, and threat intelligence. This tactical information enables informed decision-making from incident triage and investigation, through containment and eradication.
Strategic information, on the other hand, typically is aimed at managers and executives and is used to make informed high-level decisions. Strategic information may include incident trends and statistics, associated costs, threat intelligence, and incident correlation. More-advanced security programs may also use strategic information to enable proactive threat hunting.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/3/2018 | 1:20:36 PM
Chairman of Equifax blamed their entire fiasco on ONE, JUST ONE, Tech who failed to apply an update. Refine moron level of executive.   And things will continue to go wrong indicative of this kindergarten level of knowledge.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.