Grant Oviatt, director of incident-response engagements at Red Canary, provides advice and best practices on how to get there faster.
The coronavirus pandemic presented the perfect opportunity for security teams to evaluate the state of their incident-response process. In fact, it highlighted the dire need to implement a more structured, detailed and well-practiced plan to sufficiently support organizations when suffering a cybersecurity incident.
Throughout the past 12 months, the lack of preparedness has become increasingly evident, especially with the influx of personal devices logging onto corporate networks, the resulting reduced endpoint visibility, expanded attack surface and surge in attack vectors.
Mistakenly, security teams often work to remediate breaches as quickly as possible, meaning they skip over vital steps in the process. As the Navy SEAL mantra goes: “slow is smooth and smooth is fast.” Of course, speed is of the essence, however, it is important to not be sloppy and make sure the incident-response process is as efficient as possible.
Unfortunately, companies don’t only face external issues when trying to improve their incident-response process, even while security is becoming increasingly important. Indeed, internal obstacles play a large part in hindering security teams and working toward a better plan. But what are these obstacles, and why do they pose such a problem?
What Are the Internal Obstacles to Efficient Incident Response?
Security is frequently seen as a cost center rather than a revenue source, and stakeholders and companies alike often try to get away with spending the bare minimum. According to a survey conducted by Red Canary, Kroll and VMware in partnership with Wakefield Research, 45 percent of security leaders said their security spending will either stay the same, if not decrease over the next twelve months.
As a result, security teams will lack the necessary resources to combat threats and, on top of that, will be required to provide a better security defense in a changing threat landscape. This creates a challenge for security teams as they must be able to position their findings in terms of business risk, and choose what is worth protecting, rather than providing full protection across all assets and accounts. Here, it is crucial for teams to help stakeholders mitigate risk wherever possible instead of trying to eliminate business functionality.
Even with expansive security budgets and tooling, incident response can go off the rails without a practiced process. If the three Ls of real estate are “Location, Location, Location” — the three Ps of incident response are “Prepare, Prepare, Prepare.” Minutes matter with incident response, so building an incident-response plan and regularly practicing it across the highest levels of your organization directly relates to better outcomes in the event of an actual breach.
To add to this, many organizations believe they will not be targeted if they haven’t previously suffered a breach. Forty-two percent of security leaders in the survey admit to their firm lacking organization-wide support to deal with cybersecurity incidents, 41 percent believe their leadership doesn’t understand the initiatives, and another 42 percent think their security program only meets the minimum requirements necessary. These issues are further exacerbated when organizations decide against increasing spending in cybersecurity, as security teams are left with insufficient resources and expertise to deal with the incoming cybersecurity alerts.
Implementing External Partners in Incident Response
If the past 12 months have taught us anything, it is that cybersecurity can no longer be an afterthought, but must be made a priority throughout every industry. This is especially important, as the vast majority of organizations surveyed had plans to automate some aspect of their incident-response processes in the next year. Unfortunately, automation is still being held back by obstacles, such as a lack of in-house expertise, supporting tech or platforms and security teams’ excessive time commitments.
One good option is for organizations to engage with third-party partners who can provide managed detection and response (MDR) to deal with the shortcomings and improve the incident-response process. Through MDR solutions, organizations can gain greater visibility across the entire network, along with investigation capabilities to aid in incident response. The survey results showed that 76 percent of organizations already use third parties as part of their process.
Grant Oviatt is director of incident-response engagements at Red Canary.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.