Rocketing alert volumes, frozen budgets and lack of resource are making it harder than ever for inhouse teams to deal with incident response. Our survey of 205 IT security decision makers in August revealed that 90% of them saw an increase in security alerts over the past 12 months. The majority (76%) reported an increase of between 1-50% of alerts while just over a quarter (26%) reported a 26-50% increase in alerts.
It's not just alert fatigue that is causing issues, however, because responding to incidents can be highly stressful. All eyes are now on how effectively the team responds and mitigates the threat resulting in a high-pressure environment.
The most stressful aspect of responding to a cybersecurity incident was the speed required to effectively diagnose and mediate incidents cited by 40%, followed by the sense of responsibility (31%). Interestingly, 24% said the fear of being wrong was an issue which ranked above any difficulty in diagnosing the incident (22%). C-level executives feared being wrong more than information security analysts, perhaps because the fallout from a poor response to a cyber incident could be worse or even catastrophic for their career.
Other stressful elements among information security analysts were ineffective communication, suggesting that reporting processes aren’t as smooth as they could be, and the relentless need to focus on the incident until it was resolved, both of which were named by 26%, respectively. In contrast, the CIO clearly feels caught in the middle, with 30% reporting they experienced pushback on recommended response from teams and 28% feeling under pressure from above via the C-suite.
Challenges facing IR
Having proper processes and sufficient resource in place is key for effective response but the survey suggests that there have been cutbacks here. Almost a third said the top challenge was having insufficient budget, with the complexity of the incident and a lack of board level understanding coming in joint second. The disconnect with the board was felt most keenly among information security analysts (33%) whereas CIOs were markedly less concerned (13%) suggesting those doing the firefighting do not feel sufficiently heard.
In terms of resource, the skills shortage is beginning to be felt, with 23% saying there was a lack of skills or experience among those tasked with response, while a fifth of respondents and a third of CIOs thought they lacked the tools to be able to respond effectively (this was the second biggest challenge after budget for them).
Unfortunately, it looks as those some organisations aren’t keeping their incident response capabilities up to date. Among information security analysts, over a quarter were concerned about untested incident response plans and processes while a fifth complained of a lack of defined IR playbooks, indicating that while many have incident response plans in place these are not always regularly put through their paces which would lead to the process being continually improved.
Collectively, this all paints a picture of incident response being under strain which means the organisation becomes less effective in its response, increasing the potential for a breach. It’s for these reasons that organisations need to think carefully about how well equipped they are to handle incident response before, not after, a major incident occurs. But this also presents specialist security providers, namely those offering cyber defence and incident response services, with an opportunity to provide some much needed assistance.
Outsourcing incident response can provide numerous advantages, acting as a scalable resource that then frees up in-house personnel to focus on improving the security posture. The customer benefits from access to specialists 24x7, providing the organisation with more resource and expertise to help manage the situation. This can include malware experts who are able to utilise multiple investigation and forensics tools, experience and methodologies to respond to the incident and assist with decisions. Consequently, investigations can be carried out faster, Mean Time to Respond (MTTR) reduced and dwell time (i.e. the time during which the attacker is on the network) can be minimised.
Assured cyber incident response providers, such as those assessed by the NCSC, can help with every stage of the incident lifecycle from triage, through to containment and remediation. This begins with exploring the scope of the incident and establishing a communication matrix for escalation. As undefined or unclear lines of communication and responsibilities can be an issue, this helps ensure that everyone understands their responsibilities and provides a clear line of sight for senior management.
Second comes detection and analysis. Assessment tools will need to be deployed and used to determine the potential impact and log analysis conducted in order to carry out root cause analysis. The incident can then be contained and eradicated, minimising downtime and paving the way for the organisations to return to business as usual. The final stage sees the incident response team produce a technical report detailing the incident and each stage of the investigation which can then be pored over by the board and senior management to create improvements.
Considerations for the channel
An effective incident response provider should invest in advanced toolsets to keep their offerings competitive and have a diverse range of specialists on the team in order to provide their customers with sector-specific advice. They should be able to notice attack patterns and swiftly respond to zero-day vulnerabilities, for example. Doing so requires them to have an accurate understanding of the customer environment, so they need to be onboarded in
advance, briefed and a retainer contract put in place so that in the event of an incident the resource is immediately to hand.
However, increasingly, incident response is now being seen as a part of a more proactive offering – Managed Detection and Response (MDR). This uses machine learning and AI to detect and analyse threats in real-time and automated response which means it can significantly drive down MTTR. Security analysts threat hunt to identify and address threats before they can impact operations and a range of services is employed, from endpoint and network monitoring to threat intelligence and, of course, incident response. It’s this combination of automated technologies and human expertise that marks MDR out and it is particularly suitable for those businesses that are highly targeted by criminals.
Going forward it’s clear that incident response performed in-house will reach its limit in certain sectors, providing channel players with the opportunity to offer their services to boost resources. Having an outsourced incident response resource on tap is undoubtedly valuable in conferring human and technological resource to carry out investigations and digital forensics. It provides a scalable offering that confers peace of mind. But for many of those that take a critical look at their detection and response capabilities, factor in ongoing investment, a growing skills shortage and an increase in threat levels, it may well make more sense to look at MDR.