Overcoming the Challenge of Reactivity in Incident Response (Part 1)
May 17, 2019 • The Recorded Future Team
This is the first blog in a three-part series where we’ll examine how security teams manage incident response processes. Here, we’ll highlight the challenges that security teams face when trying to mitigate incidents and how constraints force many teams into taking a reactive approach. This leads to incident response teams feeling the stress of scrambling to protect their business operations and related digital assets. We’ll also explain how threat intelligence can give security teams what they need to take a more proactive approach, enabling them to better prepare for threats and prioritize their mitigation efforts.
Common Incident Response Challenges
Responses to information security breaches are reactive by nature. But that tendency can be taken too far, leading to inevitable stress felt by businesses and incident response teams who must then scramble to protect digital assets.
Solving the challenges associated with reactivity is paramount, because in today’s digital economy, protecting data is a primary objective. If clients fear that private information might be leaked, or that sensitive corporate information might fall into the wrong hands, it doesn’t matter how well IT systems perform — negative public image perceptions will ensue, and revenue generation will be severely hampered. The longer an incident remains active, the more likely that negative impacts will be experienced.
That means the demand to proactively reduce the time of security incident response is rising. At the same time, incident response teams face several conditions that counteract this goal and add to the challenge:
- Cyber incident volumes continue to increase steadily every year.
- Threats are more complex and harder to analyze.
- Analyzing data from multiple disparate sources requires substantial manual effort.
- Containing attacks and mitigating vulnerabilities continually grows more difficult.
In addition, staying on top of the shifting threat landscape has become a major task, especially when mapping the risks and attacks to business operations. Because of this, it’s difficult to proactively identify probable threats and prioritize mitigation efforts.
Too Many Alerts, Increasing Resolution Time, and a Skills Gap
Incident response teams are often forced into a reactive state because of three major factors:
1. Too Many Alerts
According to the Ponemon “Cost of Malware Containment” report, security teams can expect to log almost 17,000 malware alerts in a typical week. That’s more than 100 alerts per hour. This can lead to a security team spending more than 21,000 hours each year chasing down false positives — that’s 2,625 eight-hour shifts! And we’re only talking about the time spent on malware; there are plenty of other alerts to be concerned with as well.
2. Increasing Resolution Time
The time to resolve security incidents is rising. According to a recent Verizon Data Breach Investigations Report, the median time to resolution is more than four days. Meanwhile, cybercriminals usually need a just few minutes to wreak havoc on a network and compromise digital assets.
3. A Skills Gap
Entry-level IT resources simply don’t have the ability to respond to incidents effectively and quickly. Incident response requires a vast range of skills, including static and dynamic malware analysis, reverse engineering, and digital forensics. Finding analysts with experience in the security industry who can be relied upon to perform these complex operations under pressure is nearly impossible.
A Piecemeal Approach
In trying to solve these challenges, many security teams take a piecemeal approach, growing organically in parallel with the increases in cyber risk. As a result, they have added technologies and processes in a similar piecemeal fashion without a strategic design.
This tactic forces incident response teams to spend a lot of time aggregating data and grasping for business and operational context from a variety of sources, including firewalls and SIEM platforms, as well as endpoint detection and response solutions. This effort puts a lot of pressure on the human element of security, significantly extending response times and increasing the likelihood that mistakes will be made.
Threat Intelligence Enables Preparation and Prioritization
Working under all of these constraints, incident response teams almost have no choice but to be reactive when potential threats materialize. In a typical incident response process, once alerts are flagged, they must be triaged, remediated, and followed up with as quickly as possible to minimize impact.
All of these steps reflect a reactive process. Nearly all of the work to remediate is back-loaded, meaning it can’t be completed until after an alert is flagged. Although this is inevitable to some degree, it is far from ideal when incident response teams struggle to resolve incidents quickly; do incident response teams start when the flag is completely raised and waving, or once the flag begins to rise?
In our next blog, we will take a look at how to minimize reactivity. We’ll explain why two key functions are required to take a more proactive approach: preparation and mitigation prioritization. In order to achieve both objectives, threat intelligence is necessary so that incident response teams can respond efficiently and effectively to incidents, even when they are unexpected.
For more information on how to leverage effective threat intelligence to become more proactive and responsive in your incident response program, request a personalized demo today.