Incident response - time is of the essence

Cyber-attacks are a top threat to organisations today; however, despite an increased effort to keep up with the rising scale and complexity of threats, IT teams are struggling to defend their networks, says Mike Smart.

Mike Smart, security strategist at Proofpoint
Mike Smart, security strategist at Proofpoint

Why do so many organisations fail to successfully protect their assets despite a huge host of preventative measures? The answer is, quite literally, time is of the essence. The following examines why rapid incident response is critical to stopping a cyber attack, the reality most organisations face and most importantly, what tools and strategies are available to help. 

A race against time–and to hire talent

The 2014 Verizon Data Breach Report found almost 90 percent of point-of-sale (PoS) intrusions saw data exfiltration just minutes after compromise. Any delay in incident response, therefore, literally means more lost records, revenue and customer goodwill. In spite of rapid losses and risks, many organisations claim it is nearly impossible to generalise how long it takes to detect and contain a threat – there are simply too many variables involved. While most security teams agree that rapid response should be a high priority, it's often difficult for organisations to address. My conversations with responsible IT managers indicate that it can take large organisations as long as two weeks to complete the incident response process if done manually.

The numerous steps required to progress from detection to containment, and ultimately resolution, are the main cause for delayed response time. Legacy incident response involves manual effort, manual data collection or transfer, and even variable human analysis that often requires double-checking for accuracy. In an informal survey of more than 50 firms, more than 80 percent were looking to hire security staff to keep up with the workload.

If large organisations, who have the time and money to put dedicated measures in place, are struggling—smaller businesses have little chance. It's no coincidence that some of the larger, more recent breaches were initiated through smaller partners of the targeted firms, allowing hackers access to the larger target. When a partner's network is vulnerable due to lack of experience, staff, or security focus, an incident or breach through that partner is embarrassing at best and crippling at worst. In that same recent informal survey of small to mid-sized enterprises, less than 90 percent had any type of incident response service level agreement (SLA). Most worked as fast as possible with whatever resources were currently available and with no concrete measurement.

Why do organisations struggle to contain threats?

The heart of the problem is the sheer scale, complexity and sophistication of the evolving threat landscape. The annual rate of new malware is quickly outpacing the ability to keep up with defensive measures. In addition, most organisations are fighting a losing battle as they do not have the time and resources required to effectively invest in and operationalise new security technologies.

Security controls, including firewalls, endpoint security, and gateway security, coupled with employee training to recognise suspicious patterns (such as phishing emails) must be constantly kept current with the latest attack vector intelligence and appropriate policies. However, maintaining constancy amidst active attacks is virtually impossible to carry out manually especially with limited in-house resources.

Although third parties, such as SIEM and intelligence vendors, are useful, relying on them for new functions and integration can sometimes leave IT teams vulnerable and overwhelmed due to endless configuration and filtering cycles. Some companies have revealed writing as many as 500 rules in order to filter out the noise of their security processes – and the end result lacks fidelity and actionable output.

The solution: actionable, automated, integrated intelligence

Numerous reports fundamentally establish that successful attacks will continue to happen – even with the strongest of defences. The fastest alerts are useless if there is no clear path and information that helps the IT team start effective countermeasures.

Threat response technology that takes data from all threat detection tools and narrows down the alerts with enhanced, automated external threat intelligence and internal context is essential for any organisation. Once threats are prioritised, the system should then confirm infections and help IT teams focus resources on protecting the organisation against threats. Without a doubt, timely detection, verification and protection technology is a critical security layer for any organisation trying to keep up with today's malicious threats.

Contributed by Mike Smart, security strategist at Proofpoint.