Incident response has become one of those areas of cybersecurity that people think they could do better, but how often do they test it and how well could they actually act in the event of an incident occurring?
According to the Global Information Security Survey, released this week by EY, which used responses from 1735 C-suite leaders and IT executives and managers, 57% of respondents rate business continuity and disaster recovery as a high priority, 42% do not have an agreed communications strategy or plan in place in the event of a significant attack and 39% are planning to invest more in it in the coming year.
Richard Brown, risk assurance IT leader, EY UK and Ireland, said: “Organizations have come a long way in preparing for a cyber-breach, but as fast as they improve, cyber-attackers come up with new tricks. Organizations therefore need to sharpen their senses and upgrade their resistance to attacks.
“They also need to think beyond just protection and security to ‘cyber resilience’ – an organization-wide response that helps them prepare for and fully address these inevitable cybersecurity incidents. In the event of an attack they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and ultimately their own future at risk.”
Is incident response considered a ‘nice to have’ strategy, rather than a ‘must have’? Does the seemingly endless stream of breaches not cause businesses to think that they should act and create a plan of action?
I asked Amar Singh, CEO and founder of the Cyber Management Alliance which created the Cyber Incident Planning & Response one day executive workshop, who said that workshop had been delivered most commonly on company premises where multiple non-technical executives get together to understand, learn and plan on how they can work together to respond to cyber-attacks.
“From my personal experience as a CISO and trusted advisor , what I see on the ground is that detection capabilities are maturing; however ‘What are we detecting’ remains out of the focus of many,” he said. “Are you detecting a regular virus outbreak, or are you equipped to detect a genuine advanced threat from a bona fide sophisticated attacker?
“The good news is that the business minds (rather than the techies) are also asking the question ‘are we prepared to detect and respond’. To me, it’s encouraging to see more and more business executives from various departments start engaging and coming together to ‘be ready to respond’. However, we have a long way to go.”
In another recent survey, IBM Resilient and Ponemon Institute broke down results into national statistics, and I caught up with EMEA director Paul Ayers to discuss the findings. Unlike its global survey from a year ago, this tracked the basics of cyber resilience, which the survey found that 71% of those polled were not confident in their ability to recover, and 75% did not rate their cyber resilience as high.
“Organizations are more confident in their ability to prevent and detect, but not to retain and recover,” he told Infosecurity. “Only a quarter have got a response plan fully pushed out and are figuring out how to deploy it, and have a strong sense of resilience.
“This reflects what we are seeing in the market and we focus on the fundamentals of a plan and what steps to take. We have seen some advancement in terms of people leading this and seeing it in the market in terms of adoption of tooling, and in organizations that have invested in securing operations and investing in SIEM technology.”
I asked Ayers if it was clear what an efficient response plan should contain, and he said that while there is best practice advice from the likes of NIST or SANS, its statistics showed a lack of testing and knowing what to do in the case of an incident. “The last thing you need is the core comms team being called at 3 am, so get muscle memory on testing and set metrics and training processes,” he said.
“Know what to do now and what process to contain the incident; have that information at your fingertips and have data to know what you are up to. We’re seeing more return on investment on consoles where IT has been a risk space, as it is making existing teams more efficient.”
IBM Resilient deemed cyber resilience “as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyber-attacks”. Ayers added that the key to incident response was about getting “decisions and behaviors in place.”
The IBM Resilient and Ponemon Institiute research found that 40% were confident of protecting, 49% of detecting, 47% in containing and 35% in recovering. The drop in the final number does suggest a lack of confidence in surviving an incident, but overall the numbers were up on the previous year.
How much impact does being in a 'cyber resilient' state have? The IBM Resilient statistics suggested that 55% of respondents participate in an initiative or program for sharing information with government and industry peers about data breaches and incident response, while 52% say that threat intelligence sharing enhances the timeliness of incident response.
SANS Institute suggest that the key is to “constantly look for attacks that get past security systems, and to catch intrusions in progress”, and participate in more threat hunting using known adversary behaviors to proactively examine the network and endpoints in order to identify new data breaches.
In other words, preparation is the key to incident response and being prepared via practicing cannot be underestimated.
Singh said that anyone who believes that they were confident in preventing or detecting cyber-attacks, which the IBM Resilient survey found 40% and 49% were confident of, was “living in ‘La la land’ - better known as dream land.”
He said: “For Ponemon to even ask that question shows that they themselves don’t understand the nature of the cyber beast. It’s simply wrong to say that ‘I can prevent an attack to the business’. The established clichés of ‘not a case of if you are attacked but when’ are more true now than ever before. So - to those 40% who said they can prevent an attack. Good luck. Get real."