Why Your Security Team Needs an Incident Response Entourage
In an industry with an acute shortage in talent, a market full of redundant endpoint products, and a polymorphic and well-equipped adversary, a growing number of companies are turning to incident response services for help.
Even as we witness the emergence of technology capable of automating protection through machine learning and forms of artificial intelligence, incident response — still a very human service — shows signs of strong growth. A survey conducted in June from SANS suggests incident response is becoming a top priority for many enterprises, with particular attention being paid to detection time and remediation time. In the survey, more than 40 percent of respondents reported that they could detect an incident within a day. But simultaneously, nearly 70 percent of respondents noted that staffing shortage is a major impediment to the efforts of incident response teams.
While around 76 percent of the companies polled had dedicated IR teams, the staffing shortage might be cause for those same companies to augment their staff through third parties.
Sean Mason, director of threat management for Cisco security advisory services, says companies who need more talented workers in a thin talent pool are creating a demand for such IR services. Companies are looking to decrease their time to detect and respond to incidents quicker, but a staff of a few individuals can do only so much.
Incident response, he said in an interview, is a bit of a misnomer. Companies should instead be regarding it as continuous detection and response.
“[Incident response] is often looked at as a point in time, and it’s often after the fact,” he said. “It really needs to be something more like continuous monitoring and response.”
Security teams and company leadership are coming to grips more and more with the notion that an attack is not probable but inevitable. This, Mason said, is causing a rethink on budgetary spending as companies assess the risk in doing business online.
“There’s a swing happening right now when it comes to budgetary dollars,” he said. “It’s a shift away from checkbox compliance [that] simply doesn’t work.”
Instead, the companies and teams who have invested a lot of effort and money beyond just prevention — when the big one does hit — will be able to jump into action much quicker. They will be able to rely on not only the tools and technology, but the organizational structure they’ve built as a result of that investment.
And the organizational structure around incident response is key. There is a big difference between a single person or small group of individuals trying to put out a fire and an entire team of coordinated individuals working with the support of company leadership.
NetworkWorld contributor and ESG Senior Principal Analyst John Oltsik describes the scenario like a fire crew battling not just a wildfire, but potentially hundreds to thousands of simultaneous wildfires all at once. It’s just not conceivable to put them all out. Thus, some incident response teams reported to a survey by ESG that they ignore as many as half of the alerts their teams receive because they simply cannot keep pace.
This burden is exactly where incident response services comes into play.
“I cringe when I hear a CISO say, ‘I’ll deal with this when it happens,’” Mason said. What teams are really doing with an incident response vendor is “augmenting their staff with a dedicated team.” And going through the motions of choosing a partner ahead of time, and then conscripting one on retainer can get a huge amount of prework out of the way.
Retainers eliminate the need for the initial client/vendor dance when a breach happens. The emergency calls that Mason says his team gets fairly often, are much like a first date, filled with loads of preliminary questions: What company do you work for? Where are you based? What technology and products are you working with?
Many of those questions would be out of the way if a company proactively gets a team on board before an incident. Because once an incident does occur, time is of the essence.
