Using a survey of the Security for Business Innovation Council (SBIC), a group of top security leaders from the Global 1000, as a benchmark, the results of a new global breach readiness survey by RSA that covered 30 countries suggest the majority of organizations are not following incident response (IR) best practices and are not well prepared to face the challenges of today’s advanced cyber threats,” according to RSA, the security division of EMC.
“The survey report provides quantitative insights into real-world security practices and highlights gaps in technology and procedure as well as prescriptive advice from the SBIC for how to best close those gaps,” RSA said in its announcement of the survey findings, which focused on measures within four major areas of breach readiness and response, incident response, content intelligence, analytic intelligence and threat intelligence.
“The results suggest that organizations continue to struggle with the adoption of technologies and best practices that will allow them to more effectively detect, respond to, and disrupt the cyberattacks that turn into damaging breaches,” the survey said.
“Organizations are struggling to gain visibility into operational risk across the business. As business has become increasingly digital, information security has become a key area of operational risk and while many organizations may feel they have a good handle on their security, it is still rarely tied in to a larger operational risk strategy, which limits their visibility into their actual risk profile,” commented RSA Chief Trust Offer Dave Martin.
“Incident response is a core capability that needs to be developed and consistently honed to effectively face the increasing volume of cyberattack activity,” the survey briefing stated. “The survey results indicate that while all leading edge SBIC members have developed an incident response function, 30 percent of at-large organizations surveyed do not have formal incident response plans in place. Furthermore, of those who do have a plan, 57 percent admit to never updating or reviewing them.”
“Content intelligence in the survey measured awareness gained from tools, technology and processes in place to identify and monitor critical assets. While all SBIC members have a capability to gather data and provide centralized alerting, 55 percent of the general survey population lacks this capability rendering them blind to many threats,” the survey found, noting that, “Identifying false positives still proves a difficult task. Only 50 percent of the general respondents have a formal plan in place for identifying false positives while over 90 percent of SBIC members have automated cybersecurity technologies and a process to update information to reduce the chances of future incidents.”
The survey further indicated “the majority of organizations are not following incident response best practices and are not well prepared to face the challenges of today’s advanced cyber threats. The survey report provides quantitative insights into real-world security practices and highlights gaps in technology and procedure as well as prescriptive advice from the SBIC for how to best close those gaps.”
RSA’s global breach readiness survey was conducted in conjunction with SBIC, which comprises 18 VP-/C-level security executives from global 1000 companies, including ABN Amro, ADP, Coca-Cola, FedEx, HSBC, T-Mobile and Walmart, who share their professional experiences and insights in order to advance information security worldwide.
The survey report, Closing the Gap on Breach Readiness, compared SBIC members to 170 global respondents from 30 countries, “revealed a severe drop-off in preparedness and response capabilities. Some of the most stark findings include:”
- 30 percent of at-large organizations surveyed have no formal IR plans in place and 57 percent of those who do, never update or review those plans. (This is compared to 100 percent of the SBIC with mature IR functions).
- Only 40 percent of the survey participants have an active vulnerability management program (vs. 100 percent of the SBIC).
- 55 percent of the broader survey population lack the ability to gather data and provide centralized alerting of suspicious activity, and only 60 percent employ measures of asset criticality and vulnerability data to ensure focus on the most important areas of the business. (This is versus 100 percent and 92 percent of the SBIC on those functions respectively).
Additionally, “the study provided quantitative insight as to just what capabilities are absent or lagging and provides proscriptive advice from global leaders as to how to best close the gaps.”
The survey found that, “Most organizations recognize that basic log collection through SIEM systems only provides partial visibility into their environment. In the general survey, 72 percent of survey participants have access to malware or endpoint forensics, however, only 42 percent of survey participants have capabilities for more sophisticated network forensics, including packet capture and net flow analysis.”
External threat intelligence and information sharing “is also a key activity for organizations to stay up-to-date on attackers’ current tactics and motives,” according to the survey, the results of which indicated that only 43 percent of the survey participants at large are leveraging an external threat intelligence source to supplement their efforts.”
“Finally,” according to the survey, “attackers continue to exploit known but unaddressed vulnerabilities in damaging breaches. Despite this common knowledge, the survey found that only 40 percent of the general population had an active vulnerability management program in place, making it more challenging to keep their security programs ahead of attackers.”
“People and process are more critical than the technology as it pertains to incident response. First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organizations improve response procedures over time,” said Thales Australia and New Zealand Chief Information Security Officer Ben Doyle.