Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/30/2020
04:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

IBM Study: Security Response Planning on the Rise, But Containing Attacks Remains an Issue

Global Survey Finds More Security Tools Lead to Less-Effective Security Response Most Organizations Don't Have Specific Plans for Common and Emerging Attacks

CAMBRIDGE, Mass., June 30, 2020 -- IBM (NYSE: IBM) Security today announced the results of an annual study examining businesses’ effectiveness in preparing for and responding to cyberattacks. While organizations have slowly improved in their ability to plan for, detect and respond to cyberattacks over the past five years, their ability to contain an attack has declined by 13% during this same period. Based on the global survey, security response efforts were hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types. 
 
While security response planning is slowing improving, the vast majority of organizations (74%) are still reporting that their plans are either ad-hoc, applied inconsistently, or that they have no plans at all. This lack of planning can dramatically impact the cost of security incidents, as companies who that have incident response teams and extensively test their incident response plans spend an average of $1.2 million less on data breaches than those who have both of these cost-saving factors in place.[1]
 
The fifth annual Cyber Resilient Organization Report is based on a global survey conducted by Ponemon Institute and sponsored by IBM Security. Key findings from the study include:
  • Slowly Improving:  More organizations have adopted formal, enterprise-wide security response plans over the past 5 years; growing from 18% of respondents in 2015, to 26% in this year’s report (a 44% improvement.)
  • Playbooks Needed: Even amongst those with a formal security response plans, only one third (representing 17% of total respondents) had developed specific playbooks for common attack types – and plans for emerging attack methods like ransomware lagged even further behind. 
  • Complexity Hinders Response: The amount of security tools an organization was using had a negative impact across multiple categories of the threat lifecycle. Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect and 7% lower in their ability to respond to an attack than those with less tools.
  • Better Planning, Less Disruption: Companies with formal security response plans applied across the business were much less likely to experience significant disruption as the result of a cyberattack;  over the past two years, only 39% of these companies experienced a disruptive security incident, compared to 62% of those with less formal/consistent plans.[2]
 
"While more organizations are taking incident response planning seriously, preparing for cyberattacks isn’t a one and done activity," said Wendi Whitmore, Vice President of IBM X-Force Threat Intelligence. "Organizations must also focus on testing, practicing and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help overcome complexity challenges and speed the time it takes to contain an incident.” 
 
Updating Playbook for Emerging Threats
The survey found that even amongst organizations with a formal cybersecurity incident response plan (CSIRP), only 33% had playbooks in place for specific types of attacks. Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face.   
 
Amongst the minority of organizations who do have attack-specific playbooks, the most common playbooks are for DDoS attacks (64%) and malware (57%). While these methods have historically been top issues for the enterprise, additional attack methods such as ransomware are on the rise. While ransomware attacks have spiked nearly 70% in recent years,[3] only 45% of those in the survey using playbooks had designated plans for ransomware attacks. 
 
Additionally, more than half (52%) of those with security response plans said they have never reviewed or have no set time period for reviewing/testing those plans. With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that many businesses are relying on outdated response plans which don’t reflect the current threat and business landscape. 
 
More Tools Led to Worse Response Capabilities
The report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average, and that each incident they responded to required coordination across around 19 tools on average. However, the study also found that an over-abundance of tools may actually hinder organizations ability to handle attacks. In the survey, those using more than 50 tools ranked themselves 8% lower in their ability to detect an attack (5.83/10 vs. 6.66/10), and around 7% lower when it comes to responding to an attack (5.95/10 vs. 6.72/10). 
 
These findings suggest that adopting more tools doesn’t necessarily improve security response efforts – in fact, it may do the opposite. The use of open, interoperable platforms as well as automation technologies can help reduce the complexity of responding across disconnected tools. Amongst high performing organizations in the report, 63% said the use of interoperable tools helped them improve their response to cyberattacks.
 
Better Planning Pays Off
This year’s report provides clear evidence that organizations who invest in formal planning are more successful in responding to incidents. Amongst companies with a CSIRP applied consistently across the business, only 39% experienced an incident that resulted in a significant disruption to the organization within the past two years – compared to 62% of those who didn’t have a formal plan in place. 
 
Looking at specific reasons that organizations cited for their ability to respond to attacks, security workforce skills were found to be a top factor. 61% of those surveyed attributed hiring skilled employees as a top reason for becoming more resilient; amongst those who said their resiliency did not improve, 41% cited the lack of skilled employees as the top reason. 
 
Technology was another differentiator that helped organizations become more cyber resilient, especially when it comes to tools that helped them resolve complexity. Looking at organizations with higher levels of cyber resilience, the top two factors cited for improving their level of cyber resilience were visibility into applications and data (57% selecting) and automation tools (55% selecting). Overall, the data suggests that organizations who are more mature in their response preparedness rely more heavily on technology innovations to become more resilient.
 
 
About the Study
Conducted by the Ponemon Institute and sponsored by IBM Security, the 2020 Cyber Resilient Organization Report is the fifth installment covering organizations’ ability to properly prepare for and handle cyberattacks. The survey features insight from more than 3,400 security and IT professionals from around the world, including the United States, India, Germany, United Kingdom, Brazil, Japan, Australia, France, Canada, ASEAN, and the Middle East.
 
 
 
About IBM Security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world's broadest security research, development and delivery organizations, monitors 70 billion security events per day in more than 130 countries, and has been granted more than 10,000 security patents worldwide. For more information, please check www.ibm.com/security, follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog
 
 
 
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...