Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Dario Forte
Dario Forte
Connect Directly
E-Mail vvv

4 Reasons Why Companies Are Failing at Incident Response

When it comes to containing the business impacts of a security breach, proper planning is often the difference between success and failure.

The cybersecurity threat landscape continues to evolve and expose companies in all sectors to breaches. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. 

Not only are threats escalating in scope and sophistication, new smart technologies — particularly those leveraging the Internet of Things — can add fuel to the fires that security staff need to fight. These are often not fully tested for security flaws, which create hard-to-defend gaps for companies trying to proactively defend and protect their networks and assets.

Not only is prevention becoming increasingly difficult, but many organizations are also failing at incident response. Here are four main reasons why they struggle to detect, contain, and remediate threats.

Reason 1: Inadequate Resources
As the number and sophistication of threats have grown over the past decade, there has been an explosion in the number of security tools in the enterprise. Most create more work for security analysts — more monitoring, correlating, and responding to alerts. Analysts are forced to work between multiple platforms, manually gathering data from each source, then enriching and correlating that data. Limited security budgets — compounded by the fact that it is often easier to garner executive support for additional security applications than it is for additional employees — mean that most security teams must find innovative ways to do more without increasing staff levels. Intense competition for experienced analysts often forces companies to choose between hiring one highly skilled analyst or several junior ones.

Reason 2: Alert Overload
The number of security tools in the average company has greatly increased over the years to deal with the avalanche of threats. Even when alerts from these tools are centrally managed and correlated through a security information and even management system, the volume of alerts often overwhelms security teams. Each alert must be manually verified and triaged by an analyst. Then, after an alert is determined to be valid, it requires additional manual research and enrichment before any action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in. Any one of these simmering alerts can represent a window of opportunity for attackers until they are addressed.

Reason 3: Lack of Tribal Knowledge
Training new analysts takes time, especially when security processes are manual and complex. Even when highly documented procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization — something commonly referred to as tribal knowledge. The more manual and complex the security process, the longer it takes to transfer tribal knowledge.

Highly skilled analysts are extremely valuable resources. Each time a company loses a seasoned person, some tribal knowledge is lost — and incident response automatically suffers. While companies strive to retain at least one experienced analyst who can transfer tribal knowledge to new hires, they are not always successful in doing so.

Reason 4: Dearth of Measurement, Management Processes
Unlike other business units — which typically have concrete, proven processes for measuring the success or failure of a program — the security department often has metrics that are abstract and subjective. That's because traditional approaches for measuring return on investment are not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security program requires a measurement process specially designed to meet these unique requirements.

To complicate matters, security incidents are dynamic events that often involve many moving parts at the investigation, containment, and mitigation phases. Failing to correctly manage each step of the incident response process can result in exponential increases in loss and reputational damage to the organization. To best manage security incidents, companies need a documented, repeatable process that has been thoroughly tested and is well understood by all stakeholders.

To take back control and address these shortcomings, organizations should consider these three best practices.

Coordinate security tools and data sources into one seamless process, often called orchestration. Technology integrations are the most common method used to support technology orchestration. There are numerous methods, such as APIs, software development kits, and direct database connections, which can be used to integrate technologies such as endpoint detection and response, network detection and infrastructure, threat intelligence, IT service management, and account management.

Although the concepts of orchestration and automation are closely related, their goals are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching between security tools to support faster, more informed decision-making, automation is intended to reduce the time these processes through repeatable processes and applying machine learning to appropriate tasks. Typically, automation is utilized to increase the efficiency of the orchestrated technologies, processes, and people. The key to successful automation is the identification of predictable, repeatable processes that require minimal human intervention. 

Tactical and Strategic Measurement
Information to support tactical decisions typically consists of incident data, aimed at analysts and managers, which may include indicators of compromise, related events, assets, process status, and threat intelligence. This tactical information enables informed decision-making from incident triage and investigation, through containment and eradication.
Strategic information, on the other hand, typically is aimed at managers and executives and is used to make informed high-level decisions. Strategic information may include incident trends and statistics, associated costs, threat intelligence, and incident correlation. More-advanced security programs may also use strategic information to enable proactive threat hunting.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/3/2018 | 1:20:36 PM
Chairman of Equifax blamed their entire fiasco on ONE, JUST ONE, Tech who failed to apply an update. Refine moron level of executive.   And things will continue to go wrong indicative of this kindergarten level of knowledge.
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.