A new report from AccessData and the Ponemon institute paints a pretty poor picture of how organisations struggle to cope in the aftermath of a cyber attack.
The report, Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations polled 1,083 Chief Information Security Officers and security personnel across a range of businesses in the US, Europe and the Middle East, to discover how their companies responded immediately after a cyber attack. Those surveyed were also asked for their views on what could be done to better detect and mitigate such events in the future.
The results show that a lack of incident detection and investigation is a key issue and, as ever it would seem, communication between security teams and higher management were also a cause for concern.
In fact, 65% of the respondents said that they thought any security briefings with the CEO and board would be deliberately vague or watered down. Furthermore, 78% of those questioned said that most CISOs would offer up educated guesses and take action based upon limited information. Likewise, it was thought that CISOs would report problems as being resolved, even when they weren’t.
The survey suggests reasons why this may be so, namely:
- Attack detection taking too long (86% reported this as the case)
- Poor prioritisation of incidents (85%)
- Lack of integration between security products (74%)
- An abundance of alerts (61% said this led to confusion)
Commenting on the findings Dr. Larry Ponemon, chairman of the Ponemon Institute said,
“It’s readily clear from the survey that IR processes need to incorporate powerful, intuitive technology that helps teams act quickly, effectively and with key evidence so their companies’ and clients’ time, resources and money are not lost in the immediate aftermath of the event.”
Analysing attacks was also found to be a problem, despite the fact that 66% of the respondents said that discovering the root cause of a problem was an ideal way to learn and strengthen defences in the future. Staggeringly, 38% of the information security professionals surveyed said it could take a whole year to determine the cause of a compromise which sounds simply outrageous, despite the relative complexity of investigation in some cases. Even worse, 41% of those surveyed believed that their organisation would never be able to determine the root cause of a security incident.
Lastly, integrated threat intelligence – a hugely promising approach to arming CISOs with the latest indicators of compromise (IOC) information and ability to confirm threats – appears to be largely unusable by current security products. Almost two-thirds of those taking part in the survey said they are not able to efficiently and effectively use threat intelligence with their existing security products.
Craig Carpenter, Chief Cybersecurity Strategist at AccessData said,
“Today, companies focus primarily on the protective aspect of their information security. While protection is obviously important, this research reinforces the critical need for organizations to invest in automated IR technology integrating security, forensics and eDiscovery solutions to facilitate not just incident response, but incident detection, investigation and resolution. CISOs are clearly saying their disparate tool sets are not keeping up with the threats they face. What they need is an incident resolution platform that doesn’t just integrate alerts from myriad point solutions, but makes intelligence actionable and automates significant portions of the IR process, allowing them to focus on the most pressing incidents.”
Other key findings within the report show that current security products make it difficult to import multiple threat intelligence feeds. Likewise, quick investigation of mobile devices can prove tricky too:
- 40% say none of their security products support imported threat intelligence from other sources
- 86% rate the investigation of mobile devices as difficult
- Just over half (54%) say they are not able to, or are unsure of how to, locate sensitive data such as trade secrets and personally identifiable information (PII) on mobile devices
How does the security function within your organisation compare? Do you believe you have the right tools to analyse an attack? And do your security personnel communicate effectively and present pertinent information in a timely manner?