Most organisations are not following incident response best practices and are not well prepared to face advanced cyber threats, a study has revealed.
The study by RSA, the security division of EMC, compared the results of a breach readiness survey in 30 countries with a benchmark survey of the security leaders of global 1,000 companies which are members of the Security for Business Innovation Council (SBIC).
The RSA survey focused on measures in incident response, content intelligence, analytic intelligence and threat intelligence.
According to RSA, incident response is a core capability that needs to be developed and consistently honed to effectively face the increasing volume of cyber attack activity.
But the RSA study showed that organisations continue to struggle with the adoption of technologies and best practices that will allow them to more effectively detect, respond to and disrupt the cyber attacks that turn into damaging breaches.
The RSA study revealed that while all leading-edge SBIC members have developed an incident response function, a third of the 170 non-SBIC respondents do not have a formal incident response plan, and 57% of those who do have a plan never review or update those plans.
Conversely, 67% of SBIC members formally use intelligence and key learnings gleaned from security incidents to improve response processes.
Content intelligence in the survey measured awareness gained from tools, technology and processes in place to identify and monitor critical assets.
Read more on incident response
While all SBIC members have a capability to gather data and provide centralised alerting, 55% of the non-SBIC members lack this capability, blinding them to many threats, the report said.
Some 92% of SBIC members use asset criticality and/or vulnerability data during daily operations and incident management, compared with just 60% of non-SBIC members.
The RSA study also showed that identifying false positives continues to be a difficult task, with only half of the non-SBIC respondents having a formal plan in place for identifying false positives while over 90% of SBIC members have automated cyber security technologies and a process to update information to reduce the chances of future incidents.
The report said most organisations recognise that basic log collection through security information and event management (Siem) systems only provides partial visibility into their environment.
In the RSA survey, 72% of non-SBIC respondents have access to malware or endpoint forensics, but only 42% have capabilities for more sophisticated network forensics, including packet capture and net flow analysis. In contrast, 83% of SBIC members have access to forensics and 83% have access to a live network forensics capability.
According to RSA, external threat intelligence and information sharing is also a key activity for organisations to stay up-to-date on attackers’ current tactics and motives, but the study found that only 43% of non-SBIC members are using an external threat intelligence source to supplement their efforts. All SBIC members use external threat intelligence, with 83% using this data in daily cyber security operations.
Finally, the study noted that, despite it being common knowledge that attackers continue to exploit known but unaddressed vulnerabilities in damaging breaches, only 60% of the non-SBIC respondents had an active vulnerability management programme in place, making it more challenging to keep their security programmes ahead of attackers. All SBIC members said they are an active vulnerability management programme in place.
The RSA study is aimed at providing quantitative insights into real-world security practices, highlighting gaps in technology and procedure, and providing advice from the SBIC for how to best close those gaps.
Dave Martin, chief trust officer at RSA, said organisations are struggling to gain visibility into operational risk across the business.
“As business has become increasingly digital, information security has become a key area of operational risk, and while many organisations may feel they have a good handle on their security, it is still rarely tied in to a larger operational risk strategy, which limits their visibility into their actual risk profile,” he said.
Ben Doyle, chief information security officer at Thales Australia and New Zealand, said people and processes are more critical than the technology when it comes to incident response.
“First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time,” he said.