In many case it’s turning out that the only thing uglier than the malware organizations are being plagued with may very well be the way they respond to those attacks. Two separate studies published this week suggest there’s a lot of room for improvement in terms of how organizations go about investigating and responding to a potential security breach.
A survey of 130 enterprise IT organizations conducted by Osterman Research on behalf of Cyphort, a provider of a threat detection platform, finds security analysts and incident responders working in companies with 1,000 employees spend a combined average of 92.9 hours a week analyzing and responding to data generated by a security information event platform (SIEM). The Cyport study also finds that in 65 percent of organizations at least five people are required to resolve security incidents and that it takes almost a third (31%) of organizations using a standard SIEM at least two hours to gather and correlate data needed to respond to an incident. The Cyphort study finds more than half of organizations are dealing with at least five incidents a day.
In a similar vein, Demisto, a provider of an IT security operations platform, this week released a survey of 200 organizations with 500 or more employees that finds 40 percent feel there are significantly more alerts being generated than can be handled by their staff and that 47.4 percent admit it is hard to know which alerts to prioritize. In addition, 30 percent of respondents reported they have no playbooks, runbooks or other documentation for incident response actions. In fact, the Demisto report notes that only 14.5 percent of respondents are measuring their mean time to respond (MTTR) and more than 40 percent of organizations don’t have the tools needed to measure incident response at all.
Both studies suggest that SIEM platforms are seriously flawed. While it’s important to have something that functions as a system of record for tracking and analyzing security breaches, SIEM platforms wind u generating massive amounts of alerts that each need to be investigated. Inevitably, IT security fatigue sets in as the IT organization become inured to those alerts. Of course, lost in that steady stream on alerts is the warning that a major IT security incident is in fact in progress; assuming, of course, the organization can find and then afford to hire someone with the expertise needed to make sense of those alerts in the first place. Before too long the IT organization is left trying to explain to the board that despite the investments made in IT security there was still as security breach that inflicted hundreds of thousands of dollars in damage.
To break that vicious IT security cycle IT organizations clearly need to be able to quickly triage alerts as part on a well-defined incident response plan. That plan needs to provide a strategy for containing potential threats in a way that is least disruptive to the business as possible. It’s simply not practical for most organizations to isolate multiple systems that might be infected multiple times a day. When malware is discovered, however, IT organizations need to be able to first determine the severity of the threat. That determination will then dictate a more informed response that minimizes disruption to the business.
As straight forward as that may seem, however, performing that exercise multiple times a day requires a level of discipline most IT organizations are not going to be able to maintain. Because of that issue there are a lot more interest in incident response services provided by organizations with IT security expertise. Regardless of the method employed the one thing that is should be clear is that in the absence of a well-defined incident response plan far too many organizations are incurring more costs responding to potential threats than they are from that actual malware infecting their systems.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.