Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Dario Forte
Dario Forte
Connect Directly
E-Mail vvv

4 Reasons Why Companies Are Failing at Incident Response

When it comes to containing the business impacts of a security breach, proper planning is often the difference between success and failure.

The cybersecurity threat landscape continues to evolve and expose companies in all sectors to breaches. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. 

Not only are threats escalating in scope and sophistication, new smart technologies — particularly those leveraging the Internet of Things — can add fuel to the fires that security staff need to fight. These are often not fully tested for security flaws, which create hard-to-defend gaps for companies trying to proactively defend and protect their networks and assets.

Not only is prevention becoming increasingly difficult, but many organizations are also failing at incident response. Here are four main reasons why they struggle to detect, contain, and remediate threats.

Reason 1: Inadequate Resources
As the number and sophistication of threats have grown over the past decade, there has been an explosion in the number of security tools in the enterprise. Most create more work for security analysts — more monitoring, correlating, and responding to alerts. Analysts are forced to work between multiple platforms, manually gathering data from each source, then enriching and correlating that data. Limited security budgets — compounded by the fact that it is often easier to garner executive support for additional security applications than it is for additional employees — mean that most security teams must find innovative ways to do more without increasing staff levels. Intense competition for experienced analysts often forces companies to choose between hiring one highly skilled analyst or several junior ones.

Reason 2: Alert Overload
The number of security tools in the average company has greatly increased over the years to deal with the avalanche of threats. Even when alerts from these tools are centrally managed and correlated through a security information and even management system, the volume of alerts often overwhelms security teams. Each alert must be manually verified and triaged by an analyst. Then, after an alert is determined to be valid, it requires additional manual research and enrichment before any action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in. Any one of these simmering alerts can represent a window of opportunity for attackers until they are addressed.

Reason 3: Lack of Tribal Knowledge
Training new analysts takes time, especially when security processes are manual and complex. Even when highly documented procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization — something commonly referred to as tribal knowledge. The more manual and complex the security process, the longer it takes to transfer tribal knowledge.

Highly skilled analysts are extremely valuable resources. Each time a company loses a seasoned person, some tribal knowledge is lost — and incident response automatically suffers. While companies strive to retain at least one experienced analyst who can transfer tribal knowledge to new hires, they are not always successful in doing so.

Reason 4: Dearth of Measurement, Management Processes
Unlike other business units — which typically have concrete, proven processes for measuring the success or failure of a program — the security department often has metrics that are abstract and subjective. That's because traditional approaches for measuring return on investment are not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security program requires a measurement process specially designed to meet these unique requirements.

To complicate matters, security incidents are dynamic events that often involve many moving parts at the investigation, containment, and mitigation phases. Failing to correctly manage each step of the incident response process can result in exponential increases in loss and reputational damage to the organization. To best manage security incidents, companies need a documented, repeatable process that has been thoroughly tested and is well understood by all stakeholders.

To take back control and address these shortcomings, organizations should consider these three best practices.

Coordinate security tools and data sources into one seamless process, often called orchestration. Technology integrations are the most common method used to support technology orchestration. There are numerous methods, such as APIs, software development kits, and direct database connections, which can be used to integrate technologies such as endpoint detection and response, network detection and infrastructure, threat intelligence, IT service management, and account management.

Although the concepts of orchestration and automation are closely related, their goals are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching between security tools to support faster, more informed decision-making, automation is intended to reduce the time these processes through repeatable processes and applying machine learning to appropriate tasks. Typically, automation is utilized to increase the efficiency of the orchestrated technologies, processes, and people. The key to successful automation is the identification of predictable, repeatable processes that require minimal human intervention. 

Tactical and Strategic Measurement
Information to support tactical decisions typically consists of incident data, aimed at analysts and managers, which may include indicators of compromise, related events, assets, process status, and threat intelligence. This tactical information enables informed decision-making from incident triage and investigation, through containment and eradication.
Strategic information, on the other hand, typically is aimed at managers and executives and is used to make informed high-level decisions. Strategic information may include incident trends and statistics, associated costs, threat intelligence, and incident correlation. More-advanced security programs may also use strategic information to enable proactive threat hunting.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/3/2018 | 1:20:36 PM
Chairman of Equifax blamed their entire fiasco on ONE, JUST ONE, Tech who failed to apply an update. Refine moron level of executive.   And things will continue to go wrong indicative of this kindergarten level of knowledge.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename pa...
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...