According to the M-TRENDS 2018 report by Fireeye, the average time it takes for organizations to detect and respond to a data breach is 99 days. It’s not that companies don’t have incident response plans in place, they’re just rarely tested, and often ineffective.
The good news is that the “dwell time” for dealing with security incidents has been gradually decreasing over time as companies are adopting new and improved tools to help them identify suspicious behaviour. Of course, there is much room for improvement.
There are three main reasons why companies are failing to respond to security incidents in a timely manner.
1. A Lack of Technical Expertise
Naturally, as the frequency and sophistication of attack vectors has escalated in recent years, there has been an explosion in the number of tools and technologies that can be used to counter them. However, the problem isn’t that companies don’t have enough technology, it’s that they often lack the technical expertise to use them effectively.
Companies often have limited budgets, and it is typically easier for security teams to lobby managers to pay for more expensive technology than it is to hire more staff. This is compounded by that fact that there is a serious shortage of cyber-security professionals, and so they often have to employ a number less skilled security personnel instead. In order to compensate for the lack of technical expertise, any processes that are predictable and repeatable should be automated, and machine learning should be used where possible.
Another issue that organizations face relates to a loss of “tribal knowledge,” which occurs when a seasoned security professional leaves an organization. Tribal knowledge is “any unwritten information that is not commonly known by others within a company,” and without this information, it becomes very hard for security teams to respond to incidents in a timely manner.
Of course, it is good practice for security professionals to document any information and procedures that can help security teams get to grips with their network’s security posture; however, any complex system will have many nuances that can only be known through years of experience using the same system.
2. Too Much Noise
SIEM solutions are no doubt helpful for aggregating, analyzing and correlating log data from multiple sources. However, it takes both time and resources to manually sift through the vast number of alerts that these systems generate. And, whilst security teams waste time scrutinising these logs for indications of a breach, a cyber-attack could be taking place under their nose without them knowing.
It is worth noting that the majority of security incidents are caused by insiders – whether intentionally or not. Relying on SIEM solutions alone to monitor user behaviour will result in blind spots, as they are not designed for this purpose. User Behaviour Analytics (UBA) solutions are specifically designed to detect, alert and respond to suspicious user actions. The reports they generate are far more intuitive than those generated by most SIEM solutions, and require significantly less technical expertise to install, configure and maintain.
3: Difficulties in Measuring the Success of the IRP
It is very difficult to measure the success (or failure) of a security strategy, until a breach occurs. For example, using return on investment (ROI) as a metric for measuring the effectiveness of a security program clearly won’t work, as cyber-security is not directly profitable. Instead, the motivation for securing one’s data is to protect the reputation of the company and to avoid paying hefty fines.
We need well-defined protocols for assessing the effectiveness of our investigative, containment, and mitigation strategies. Such protocols must be repeatable, testable and understood by all relevant personnel.
What’s the Solution?
It’s not always feasible in budgets or organizational structure to both purchase a UBA or SIEM solution and hire technically proficient staff to use them. Fortunately, the market is now mature enough to offer solutions that audit, monitor and alert on user behaviour with critical data and the surrounding systems in such a way that requires little to no technical expertise. Some of these solutions also offer a way for you to discover where your most sensitive data resides and classify it in order of risk.
Deploying such a solution in your environment will enable you to drastically reduce your response time to a perceived threat. For example, if you were to detect a large number of file name modifications occurring over a very short space of time, it could be indicative of a ransomware attack. Having a file change auditing solution, like LepideAuditor, in place would allow you to spot such changes taking place and automate a response through execution of a custom script.
Ultimately, you will need to shop around for the solution that best fits your organization. But, if you want to ensure that you are not one of the many organizations that are continuing to fail in incident response, you’d best start looking sooner rather than later!