Incident-response discipline suffering as firefighting takes its toll on security visibility

Lack of people, time means most companies too busy trying to keep up to actively track incident performance

Security staff recognise the importance of rapid response to security incidents but are still struggling to implement actionable response policies and spend most of their time in ‘firefighting mode’, according to a user survey that also found businesses are dealing with an average of 346 security incidents every week.

A surfeit of security tools was complicating the process of developing a consistent security response, Demisto’s State of Incident Response survey of 250 managers and security analysts concluded.

With each of those security incidents requiring more than 2 days on average to resolve, incident response teams were struggling to keep up. This was due, in large part, to a lack of people and time – named by 45 percent and 43 percent of respondents, respectively, as being very challenging.

The need to improve processes and results; reporting structures; capturing and analysing metrics; and tracking and assigning incidents were also named as key challenges in improving incident response.

More than 40 percent of respondents had no formal system to measure incident-response metrics, while only 14.5 percent of respondents said they had formal mean time to respond (MTTR) targets.

The survey results suggest that many companies continue to lack the discipline and visibility necessary to manage their security response any an organised way – something that is likely to become a serious problem once mandatory Notifiable Data Breach legislation comes into effect next February.

Businesses’ lack of preparation was apparent in the Australian Cyber Security Centre’s recent Cyber Security Report 2017, which found that 43 percent of organisations don’t generally identify cybersecurity threats or vulnerabilities until after they have been compromised – and that 51 percent are generally alerted to breaches by external parties before noticing the incidents themselves.

Similarly, ISACA’s latest State of Cybersecurity research found that 16 percent of organisations have no incident response plan at all – and of those that do, just 31 percent routinely test their security controls.

Poor visibility and incident-response practices have significant implications for businesses, particularly as they move to cloud-based environments where visibility is key to detecting and dealing with security incidents. A recent Gartner analysis suggested that by next year, 60 percent of enterprises would have implemented cloud visibility and control tools – and they will experience one-third fewer security failures as a result.

“People with cloud environments understand the importance of automation and learning,” Demisto co-founder Rishi Bhargava recently told CSO Australia. “From the analyst perspective not only are they doing the mundane stuff over and over again; they are not able to learn from each other and not able to grow their skill sets.”

Improving that situation requires a concerted effort to improve incident visibility and response – but many companies will struggle to do so as staff burnout takes its toll. Indeed, alert fatigue has long been a chronic problem and the new Demisto research suggests that many employees are simply throwing their hands up in frustration – with more than a third of incident-response staff leaving within 3 years because of the constant pressure.

Many companies are turning to machine learning environments to ease the pressure, with analytics tools and intelligent agents tasked to develop remediation decision trees by watching humans resolve cybersecurity incidents.

Tags incident managementcyber crimecyber attacksdata leakMTTR

Show Comments