Olivier Le Moal - stock.adobe.co
Incident response takes far too long for the average enterprise to complete, according to a new study from CrowdStrike.
The endpoint security vendor surveyed 1,900 senior IT professionals and found out that 95% could not get close to the company's "1:10:60" rule: one minute to detect, 10 minutes to investigate and 60 minutes to contain a cybersecurity incident. The survey, which was released in CrowdStrike's 2019 Global Security Attitude Survey on Tuesday, found that it takes almost seven days of nonstop work (162 hours) to "detect, triage, investigate, and contain the average cyber incident."
The survey also showed that 19% of respondents said that intruder detection is their primary IT security focus, while 86% saw one-minute detection as a game-changer for their cybersecurity organization. In addition, CrowdStrike said it takes 31 hours on average to contain a cybersecurity incident, and that's after it has been detected and investigated.
CrowdStrike vice president of services Thomas Etheridge said the fact that the vast majority of respondents couldn't get close to the 1:10:60 rule was significant. "That's a large set of respondents that do not have either the resourcing capability, the skills in their security programs and business, or the tools to be able to detect, triage, and remediate within that 1:10:60 framework," he said.
Etheridge also said the survey data showed that most of the focus from an incident response perspective seemed to be on the network perimeter.
"It's kind of traditionalist to think about defense in-depth in network perimeter security versus being able to focus on the endpoint and understand how attackers are either already in your environment or very easily able to gain access into your environment, and not be able to prevent them from moving laterally or detect them from moving laterally after they've already gained access," he said.
Rob Clyde, executive chairman of White Cloud Security and former chairman of the ISACA board of directors, said incident response is so difficult because it can involve a lot of different people.
"It is a cross-functional exercise. It is not the responsibility of a single department or single individual. It has to be a team effort. And any time in an organization when you're dealing with an action, or a response in this case, that cuts across departments and also cuts across management level, sometimes it may need to go all the way to the board of directors, this is not easy. This takes significant effort to put all of that together," he said.
Clyde also said that completing technical containment within 60 minutes is challenging enough, but that there are other aspects of containment that need to be considered.
"There's more to incident response than just containing the attack. That's at the technical level that you're going to contain it so that it doesn't spread further in your network. Of course you want to do that, but you also have containment from the aspect of, what are you going to tell the public? What are you going to tell the regulators? How are you going to involve the board of directors? If it's a public company, is this going to affect the stock price if you don't properly handle and message that? It seems like that is also part of containment, and that non-technical aspect is often forgotten or is not properly tied in," Clyde said.
Etheridge offered several solutions to these slow (compared to the 1:10:60 ideal) incident response times.
"Some things that customers can do to optimize their ability is implement robust EDR type capabilities, upgrade and make sure their existing infrastructure is up-to-date with the latest patches and they're using current operating systems, and to do the best they can to remove any legacy infrastructure in their environment," he said.
Etheridge also suggested wargaming, tabletop and red team/blue team exercises as ways to test a team's capabilities and understand how said organization might be a victim of an attack.