The report, Tackling Attack Detection and Incident Response, from Enterprise Strategy Group (ESG) and commissioned by Intel Security, examined organizations’ security strategies, cyber-attack environment, incident response challenges and needs. The survey found security professionals are inundated with security incidents, averaging 78 investigations per organization in the last year, with 28 percent of those incidents involving targeted attacks – one of the most dangerous and potentially damaging forms of cyber attacks.
“When it comes to incident detection and response, time has an ominous correlation to potential damage,” said Jon Oltsik, senior principal analyst at ESG. “The longer it takes an organization to identify, investigate, and respond to a cyber attack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data. With this in mind, CISOs should remember that collecting and processing attack data is a means toward action — improving threat detection and response effectiveness and efficiency.”
Nearly 80 percent of the respondents believe the lack of integration and communication between security toolscreates bottlenecks and interferes with their ability to detect and respond to security threats. Real-time, comprehensive visibility is especially important for rapid response to targeted attacks, and 37 percent called for tighter integration between security intelligence and IT operations tools. The top time-consuming tasks involved scoping and taking action to minimize the impact of an attack, activities that Intel says can be accelerated by integration of tools.
The survey responses suggest that the very common patchwork architectures of dozens of individual security products have created numerous silos of tools, consoles, processes and reports that prove very time consuming to use. These architectures are creating ever greater volumes of attack data that drown out relevant indicators of attack.
Security professionals surveyed claimed real-time security visibility suffers from limited understanding of user behavior and network, application and host behavior. While the top four types of data collected are network-related, and 30 percent collect user activity data, the report found data capture isn’t sufficient. Users need more help to contextualize the data to understand what behavior is worrisome. This gap may explain why nearly half (47 percent) of organizations said determining the impact or scope of a security incident was particularly time consuming.
Users understand they need help to evolve from simply collecting volumes of security event and threat intelligence data to more effectively making sense of the data and using it to detect and assess incidents. Fifty-eight percent said they need better detection tools, (such as static and dynamic analysis tools with cloud-based intelligence to analyze files for intent). Fifty-three percent said they need better analysis tools for turning security data into actionable intelligence. One-third called for better tools to baseline normal system behavior so teams can detect variances faster.
Respondents admitted to a lack of knowledge of the threat landscape and security investigation skills, suggesting that even better visibility through technical integration or analytical capabilities will be inadequate if incident response teams cannot make sense of the information they see. For instance, only 45 percent of those who took the survey consider themselves very knowledgeable about malware obfuscation techniques, and 40 percent called for more training to improve cybersecurity knowledge and skills.
The volume of investigations and limited resources and skills contributed to a strong desire among respondents for help incident detection and response. Forty-two percent reported that taking action to minimize the impact of an attack was one of their most time-consuming tasks. Twenty-seven percent would like better automated analytics from security intelligence tools to speed real-time comprehension; while 15 percent want automation of processes to free up staff for more important duties.
“Just as the medical profession must deliver heart-attack patients to the hospital within a ‘golden hour’ to maximize likelihood of survival, the security industry must work towards reducing the time it takes organizations to detect and deflect attacks, before damage is inflicted,” said Chris Young, general manager at Intel Security. “This requires that we ask and answer tough questions on what is failing us, and evolve our thinking around how we do security.”
ESG believes there is a hidden story within the Intel Security research that hints at best practices and lessons learned. This data strongly suggested CISOs create a tightly-integrated enterprise security technology architecture, anchor their cybersecurity strategy with strong analytics — moving from volume to value, automate incident detection and response whenever possible and commit to continuous cybersecurity education.
As an Intel spokesman told Homeland Security Today, “The results are really interesting and for the federal market they point again to the need for continuous diagnostic and mitigation – CDM, where continuous visibility and automation can speed up response time.”