Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Dario Forte
Dario Forte
Connect Directly
E-Mail vvv

4 Reasons Why Companies Are Failing at Incident Response

When it comes to containing the business impacts of a security breach, proper planning is often the difference between success and failure.

The cybersecurity threat landscape continues to evolve and expose companies in all sectors to breaches. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. 

Not only are threats escalating in scope and sophistication, new smart technologies — particularly those leveraging the Internet of Things — can add fuel to the fires that security staff need to fight. These are often not fully tested for security flaws, which create hard-to-defend gaps for companies trying to proactively defend and protect their networks and assets.

Not only is prevention becoming increasingly difficult, but many organizations are also failing at incident response. Here are four main reasons why they struggle to detect, contain, and remediate threats.

Reason 1: Inadequate Resources
As the number and sophistication of threats have grown over the past decade, there has been an explosion in the number of security tools in the enterprise. Most create more work for security analysts — more monitoring, correlating, and responding to alerts. Analysts are forced to work between multiple platforms, manually gathering data from each source, then enriching and correlating that data. Limited security budgets — compounded by the fact that it is often easier to garner executive support for additional security applications than it is for additional employees — mean that most security teams must find innovative ways to do more without increasing staff levels. Intense competition for experienced analysts often forces companies to choose between hiring one highly skilled analyst or several junior ones.

Reason 2: Alert Overload
The number of security tools in the average company has greatly increased over the years to deal with the avalanche of threats. Even when alerts from these tools are centrally managed and correlated through a security information and even management system, the volume of alerts often overwhelms security teams. Each alert must be manually verified and triaged by an analyst. Then, after an alert is determined to be valid, it requires additional manual research and enrichment before any action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in. Any one of these simmering alerts can represent a window of opportunity for attackers until they are addressed.

Reason 3: Lack of Tribal Knowledge
Training new analysts takes time, especially when security processes are manual and complex. Even when highly documented procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization — something commonly referred to as tribal knowledge. The more manual and complex the security process, the longer it takes to transfer tribal knowledge.

Highly skilled analysts are extremely valuable resources. Each time a company loses a seasoned person, some tribal knowledge is lost — and incident response automatically suffers. While companies strive to retain at least one experienced analyst who can transfer tribal knowledge to new hires, they are not always successful in doing so.

Reason 4: Dearth of Measurement, Management Processes
Unlike other business units — which typically have concrete, proven processes for measuring the success or failure of a program — the security department often has metrics that are abstract and subjective. That's because traditional approaches for measuring return on investment are not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security program requires a measurement process specially designed to meet these unique requirements.

To complicate matters, security incidents are dynamic events that often involve many moving parts at the investigation, containment, and mitigation phases. Failing to correctly manage each step of the incident response process can result in exponential increases in loss and reputational damage to the organization. To best manage security incidents, companies need a documented, repeatable process that has been thoroughly tested and is well understood by all stakeholders.

To take back control and address these shortcomings, organizations should consider these three best practices.

Coordinate security tools and data sources into one seamless process, often called orchestration. Technology integrations are the most common method used to support technology orchestration. There are numerous methods, such as APIs, software development kits, and direct database connections, which can be used to integrate technologies such as endpoint detection and response, network detection and infrastructure, threat intelligence, IT service management, and account management.

Although the concepts of orchestration and automation are closely related, their goals are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching between security tools to support faster, more informed decision-making, automation is intended to reduce the time these processes through repeatable processes and applying machine learning to appropriate tasks. Typically, automation is utilized to increase the efficiency of the orchestrated technologies, processes, and people. The key to successful automation is the identification of predictable, repeatable processes that require minimal human intervention. 

Tactical and Strategic Measurement
Information to support tactical decisions typically consists of incident data, aimed at analysts and managers, which may include indicators of compromise, related events, assets, process status, and threat intelligence. This tactical information enables informed decision-making from incident triage and investigation, through containment and eradication.
Strategic information, on the other hand, typically is aimed at managers and executives and is used to make informed high-level decisions. Strategic information may include incident trends and statistics, associated costs, threat intelligence, and incident correlation. More-advanced security programs may also use strategic information to enable proactive threat hunting.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/3/2018 | 1:20:36 PM
Chairman of Equifax blamed their entire fiasco on ONE, JUST ONE, Tech who failed to apply an update. Refine moron level of executive.   And things will continue to go wrong indicative of this kindergarten level of knowledge.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser.
PUBLISHED: 2021-06-16
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
PUBLISHED: 2021-06-16
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.