Companies outflanked, outclassed when investigating security incidents: survey

Resource-stretched CSOs were forced to investigate an average of 1.5 security incidents every week last year and lost significant amounts of time playing catch-up with ever-nimbler cybercriminals, a survey of IT and security professionals has found.

Poor integration between security components was just one of the issues blamed by the 700 mid-market and large-enterprise respondents to Intel Security's Tackling Attack Detection and Incident Response report, for which the company partnered with Enterprise Strategy Group (ESG).

Some 28 percent of the investigations involved forensic examination of targeted attacks – notable, ESG warns, because such investigations require the specialised skills of security analysts, detailed information about IT assets, and advanced security analytics that many companies still have yet to master.

“Organisations are spending an inordinate amount of time trying to manually put out those fires they're seeing inside their organisation,” Intel Security chief technology officer Sean Duca told CSO Australia. “Hand on heart, most organisations would actually struggle. They cannot even cope with the information in front of them.”

Companies' inability to cope was blamed by respondents on a range of reasons, with 38 percent of respondents saying their users lacked knowledge about cybersecurity risks; 32 percent saying modern malware had become “increasingly difficult” to detect; 30 percent blaming increased use of social networking; and 29 percent blaming sophisticated social-engineering attacks.

Bring your own device (BYOD) policies were blamed by 24 percent of respondents as having compromised the security of the environment, as were increasing use of personal business services like Dropbox and EverNote (26 percent) and increasing use of non-PC devices like tablets and smartphones (22 percent).

A deficiency of the security skills necessary to detect modern malware stealthing techniques was named by 23 percent of respondents in the ESG report, which warned that “the Intel Security data portrays an unfair fight where cybersecurity offence often overwhelms cybersecurity defences.”

A reliance on poorly defined security-analysis procedures, informed by often-immature threat-defence perimeters and under-utilised security applications, had continued to cause problems for companies that needed to figure out a smarter way to deal with the ongoing flood of incidents, he said – and this involves more than just adding more and more security staff.

“The incident-response triage is not really a co-ordinated approach: the data is telling us that people are spending a large amount of time trying to work out where the problems are in the environment. Some security tools are in a deployed state, and some are not; they're just constantly trawling through logs.”

“They need to start to understand the way their environment actually works, and how they can have a more secure architecture where the technology is working and they have processes in place.” Organisations hoping to mount a more effective response needed to integrate threat-intelligence infrastructure into their effort – yet persistent deficiencies continued to stymie efforts to do so. Asked what were the biggest inhibitors to having real-time security visibility, some 41 percent of respondents said they needed a better understanding of user behaviour.

Fully 37 percent said they needed better integration between security intelligence and IT operations tools, with an equal proportion saying they needed a better understanding of network behaviour.

Simple lack of time was proving to be another contributing factor, with 47 percent of respondents saying that determining the impact and scope of a security incident was the most time consuming part of the remediation effort. Also time-consuming were the process of taking action to minimise the impact of an attack (cited by 42 percent), analysing security intelligence to detect security incidents (41 percent), and determining which assets might be vulnerable to a similar attack (39 percent).

In the midst of the increasingly sophisticated response, companies also need to remember that “not everything is going to be sophisticated,” Duca warned, noting that the popular focus on stealthy infiltrators could distract from the ongoing threat from those using quite basic attack methods.

“There's this confusion amongst many people that every attack is an advanced persistent threat, he said, “but attackers will also use rudimentary skills and techniques. It's a mixture, and we need to be able to fix the most minor and basic thing as well as the most sophisticated threats.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.