IT Focus Area: security
October 5, 2015
Incident Response & Cyber Readiness: Are You Prepared for the Inevitable?
Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.”
This 18th-century advice from one of our most influential founding fathers applies to cyber security today.
According to PWC’s 2015 Global State of Information Security Survey, organizations reported 2014 financial losses stemming from security incidents that were 93 percent higher than 2013. In fact, the number of global incidents is growing faster than the number of global smartphone users and the global GDP combined!
Historically, too much IT security spending has focused on the prevention of attacks and not enough has gone towards preparing for the inevitable.
On average, it takes companies a full month—even longer if an insider is involved—to resolve security incidents once they are identified. Why? Because they are aren’t paying enough attention to incident response (IR):
Prevention alone fails: just read the data breach headlines making news on a weekly—if not daily—basis.
Detection alone fails: consider the fact that the majority of incidents—nearly 70 percent—are detected externally by law enforcement such as the FBI, not internally by the victim organizations themselves.
What’s left when all else fails? Incident response. Plan, protect, detect, respond— continuously.
How Can You Gauge Your Organization’s IR Capabilities?
Consider the following questions:
Do you have an incident response program in place?
Are employees aware of what constitutes an incident to begin with and how to report and manage an incident?
Have you optimized the tools you’re using today to protect against and detect incidents?
Has your program been updated and tested to support today’s cyber threats and response needs?
Does the executive team know their role and what is expected of them?
Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
Don’t be surprised if you cannot answer a lot of these questions. Many companies do have an IR program or plan in place, but are struggling to keep it up-to-date and able to support current cyber-security concerns. In fact, a recent report from the Ponemon Institute found that 75 percent of U.S. organizations are not prepared to respond to cyber security attacks.
Preparation is the Name of the Game
Consider the overall maturity of your program, focusing on people, process and technology. Are you leveraging these resources properly? As the 500+ exhibitors at this year’s RSA Security Conference demonstrated, tools are not the problem; we’ve got a great ecosystem of tools at our disposal. We just need to ensure we’re maximizing investment in those tools and effectively utilizing the visibility they provide. Firewall, IPS, and all of the other “traditional” tools we are accustomed to using are valuable when used correctly. Additionally, there are specialized tools and services available that can facilitate the strategy and process improvements needed to detect and respond to incidents while working to remediate and prevent them going forward.
Keep Your Eye on the Endpoint
Visibility across endpoints is a necessary part of the comprehensive architecture required to support incident response efforts. In the past, endpoint security focused on signature-based solutions such as anti-virus, host IPS and heuristics to prevent exploits and malware propagation. Today’s solutions include these components, but also enable SOCs and IR teams to leverage additional capabilities such as continuous endpoint recording, customized detection, live endpoint investigation, remediation, and rapid attack banning. They are generally broken down into the following categories:
Threat detection & response
Endpoint monitoring & management
There are leading-edge technology solutions available from a variety of security manufacturers in all of these categories. And professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress, and interactive tabletop exercises and breach simulation in conjunction with forensic and incident response “emergency services” partnerships can also be of great value.
Prevent Incidents from Becoming Catastrophes
The true security of your business – your ability to maintain competitive advantage, manage your reputation and retain customers – depends on mitigating risk. If you wait until your first incident to start taking IR seriously, you’re setting yourself up for failure. Most organizations are going to experience security incidents regularly; those that don’t are only avoiding it by being blind to what’s going on, and risking their own demise.
Accept that it’s going to happen, and be prepared to handle the situation. With a diligent approach, optimized tools and strategic partnerships in place, you can continuously test your current program and extend your capabilities to better prevent, detect and respond to security incidents. A comprehensive incident response plan will enable your organization to respond aggressively to an attack, minimize damage and align defenses to mitigate future intrusions.