With numerous recent examples of cybercriminals penetrating corporate networks almost at will, the role of incident response teams has been thrust into the spotlight. Yet a new report indicates that security professionals must leap a number of hurdles before conducting a meaningful incident response process.
They won't even investigate a good chunk of the incidents, and for that reason, they are not able to know what the underlying problem is.
chief cybersecurity strategist, AccessData
Ponemon Institute LLC recently surveyed more than 1,000 IT security professionals on the incident response practices in place at their respective organizations. Approximately two-thirds of respondents indicated they believe their companies are under a state of "constant compromise" due to the pervasiveness of malware, botnets and other attacks. Even worse, those same respondents consider themselves too bogged down by security events and event data to determine which incidents warrant a thorough investigation, or in many cases, to even investigate at all.
For instance, 61% of those surveyed said that endpoint security products simply create too many alerts. A whopping 85% of respondents also believe their organizations are currently unable to prioritize security incidents.
Craig Carpenter, chief cybersecurity strategist for Lindon, Utah-based AccessData, which sponsored the Ponemon report, believes it's not surprising that more than half of those surveyed feel that investigating security incidents takes too much time.
Carpenter said that the security professionals he knows are alerted to anywhere between 20 and 40 potential security incidents each day, and theoretically, each one warrants investigation. The "vast majority" of events isn't serious, according to Carpenter, and often includes outdated passwords or an unpatched application, action items that would ideally be handled by automated systems.
But with no way to prioritize incidents, he noted that many IT security pros simply don't have the time to undertake the time-intensive process of investigating incidents that do warrant further attention, possibly leaving long-term attacks, such as those against retailer Neiman Marcus, unnoticed for weeks or even months. Their objective in the incidents they do take on, he said, is to simply remediate them as fast as possible.
"So effectively, they'll go back out and say this system has been infected, so they'll re-image it and give it back to the user. Mind you, the whole time [an investigation is taking place], the user is saying, 'I need my laptop, please give it back to me,'" Carpenter said. "So they won't even investigate a good chunk of the incidents, and for that reason, they are not able to know what the underlying problem is."
More worryingly, many of the respondents admitted that they provide answers about security breaches to their respective CEOs and other executives based on incomplete or even never-performed incident response processes. Just over one-third of the security professionals said they simply tell executives that they took action to resolve the issue, while another 19% just make guesses based on initial information on the incident.
Carpenter said that providing misinformed answers is absolutely the wrong tactic for security professionals to take in post-incident meetings with executives, which can admittedly be tense. Many in the C-suite are only now learning what questions to ask after data breaches or other high-profile security incidents, Carpenter said, thanks to high-profile attacks such as those against retailer Target and software giant Adobe.
"You may not fully know what happened or whether it's been completely shut down," Carpenter said, "which means it's the perfect opportunity to say, 'This is what we're doing. And by the way, in order for us to really shut this stuff down and protect the business, we need the ability to do X, Y and Z that we don't have today.'"