Companies outflanked, outclassed when investigating security incidents: survey

Resource-stretched CSOs were forced to investigate an average of 1.5 security incidents every week last year and lost significant amounts of time playing catch-up with ever-nimbler cybercriminals, a survey of IT and security professionals has found.

Poor integration between security components was just one of the issues blamed by the 700 mid-market and large-enterprise respondents to Intel Security's Tackling Attack Detection and Incident Response report, for which the company partnered with Enterprise Strategy Group (ESG).

Some 28 percent of the investigations involved forensic examination of targeted attacks – notable, ESG warns, because such investigations require the specialised skills of security analysts, detailed information about IT assets, and advanced security analytics that many companies still have yet to master.

“Organisations are spending an inordinate amount of time trying to manually put out those fires they're seeing inside their organisation,” Intel Security chief technology officer Sean Duca told CSO Australia. “Hand on heart, most organisations would actually struggle. They cannot even cope with the information in front of them.”

Companies' inability to cope was blamed by respondents on a range of reasons, with 38 percent of respondents saying their users lacked knowledge about cybersecurity risks; 32 percent saying modern malware had become “increasingly difficult” to detect; 30 percent blaming increased use of social networking; and 29 percent blaming sophisticated social-engineering attacks.

Bring your own device (BYOD) policies were blamed by 24 percent of respondents as having compromised the security of the environment, as were increasing use of personal business services like Dropbox and EverNote (26 percent) and increasing use of non-PC devices like tablets and smartphones (22 percent).

A deficiency of the security skills necessary to detect modern malware stealthing techniques was named by 23 percent of respondents in the ESG report, which warned that “the Intel Security data portrays an unfair fight where cybersecurity offence often overwhelms cybersecurity defences.”

A reliance on poorly defined security-analysis procedures, informed by often-immature threat-defence perimeters and under-utilised security applications, had continued to cause problems for companies that needed to figure out a smarter way to deal with the ongoing flood of incidents, he said – and this involves more than just adding more and more security staff.

“The incident-response triage is not really a co-ordinated approach: the data is telling us that people are spending a large amount of time trying to work out where the problems are in the environment. Some security tools are in a deployed state, and some are not; they're just constantly trawling through logs.”

“They need to start to understand the way their environment actually works, and how they can have a more secure architecture where the technology is working and they have processes in place.” Organisations hoping to mount a more effective response needed to integrate threat-intelligence infrastructure into their effort – yet persistent deficiencies continued to stymie efforts to do so. Asked what were the biggest inhibitors to having real-time security visibility, some 41 percent of respondents said they needed a better understanding of user behaviour.

Fully 37 percent said they needed better integration between security intelligence and IT operations tools, with an equal proportion saying they needed a better understanding of network behaviour.

Simple lack of time was proving to be another contributing factor, with 47 percent of respondents saying that determining the impact and scope of a security incident was the most time consuming part of the remediation effort. Also time-consuming were the process of taking action to minimise the impact of an attack (cited by 42 percent), analysing security intelligence to detect security incidents (41 percent), and determining which assets might be vulnerable to a similar attack (39 percent).

In the midst of the increasingly sophisticated response, companies also need to remember that “not everything is going to be sophisticated,” Duca warned, noting that the popular focus on stealthy infiltrators could distract from the ongoing threat from those using quite basic attack methods.

“There's this confusion amongst many people that every attack is an advanced persistent threat, he said, “but attackers will also use rudimentary skills and techniques. It's a mixture, and we need to be able to fix the most minor and basic thing as well as the most sophisticated threats.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Security SurveyEvernotedropboxIT SecurityEnterprise Strategy Group (ESG)cybercriminalsSean DucamalwareCSO AustraliaBYODIntel securitytargeted attackssmartphonessecurity incidentsmodern malware

More about CSODropboxEnex TestLabIntel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts