Investment In Data Breach Responders Lacking, Study Finds

The most effective response to security incidents and potential data breaches in the organization involves a team of people, an investment that many organizations say their firms are not willing to make, according to a new study.

A survey of 674 IT security professionals in the United States and the United Kingdom, conducted by the Ponemon Institute, found a lack of investment and awareness of incident response activities from senior management. The majority of survey respondents said additional people and more efficient processes could help speed incident response, but they acknowledged that investments in incident response capabilities in their organization has remained static over the past 24 months. The study, released in January, was commissioned by Alpharetta, Ga.-based security firm Lancope.

"Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities," according to the Ponemon report. "This recommendation was more popular than preventative security measures such as vulnerability audits and end-user education efforts."

[Related: Eugene Kaspersky: 10 Big Threats Changing Security ]

Sponsored post

Advanced threat detection capabilities, driven by network security vendors FireEye, Palo Alto Networks, Cisco Sourcefire and other vendors, has put a focus on threat detection. But once the appliances spot a threat, incident responders need to pinpoint the threat, contain it, remediate open vulnerabilities and deal with the infected system. All the vendors acknowledge that their technologies require incident responders. FireEye recently acquired Mandiant for its incident response capabilities and digital forensics practice as well as its endpoint security suite.

Solution providers say they are not surprised by the report's findings. Businesses will race to put in new technology, but they often consider the impact of the technology after it is in place, said Shaq Kahn, CEO of Fremont, Calif.-based security service provider Fortifier. Kahn, who has sold and implemented FireEye appliances, said in a recent interview that response capabilities are all too often an afterthought.

"They see the benefit of the threat detection, but they don't realize that something needs to be done once detection takes place," Kahn said. "This is a consistent problem with security."

Investments in incident response technologies and personnel may be viewed as reactive rather than preventative, according to Larry Ponemon, founder and chairman of the Ponemon Institute. In the report, Ponemon said that, ideally, breaches would not occur, and therefore there would be no need for teams to respond to them.

"With a limited budget for protecting an organization against security problems, it may be easier to rationalize spending that money on measures that are designed to stop breaches from occurring in the first place rather than on measures that are designed to respond to a breach once it has happened," Ponemon said.

NEXT: Incident Response Plan Is First Step

Ponemon said organizations need to understand that investing in incident response personnel and technologies leads to information that can be vital to an organization that needs to prioritize preventative investments. Having knowledge about the attackers targeting the organization and the vulnerabilities they are targeting can help security teams focus on areas that need addressing the most, Ponemon said.

A similar Ponemon survey of more than 1,000 IT and IT security practitioners in the U.S. and EMEA was released this month and had strikingly similar findings to the previous incident response study. The study, commissioned by digital forensics toolmaker AccessData, found an increasing concern over the sophistication of targeted attacks.

Understanding the root causes of cyberattacks increases an organization’s ability to respond to future attacks, according to 66 percent of respondents in the Ponemon study. Those who took the survey ranked having an incident response plan and security specialist expertise higher than having specialized incident response technologies. Security specialists can use their intuition and expertise to determine the full extent of the attack.

Technologies that can quickly detect threats, record forensics evidence about cyberthreats and provide full visibility across log files, network traffic and endpoint devices were rated highly by survey respondents.

Cyberattacks appear to be growing more targeted and stealthier, making it more difficult for digital forensics investigators to trace the root cause of an attack, according to those surveyed. Forty-one percent of respondents said their organizations will never know with certainty what caused the security incident, while 38 percent said it could take a year, according to the Ponemon study.

"The recent Target data breach and the circumstances surrounding the detection and remediation of the incident makes the case for the importance of having threat intelligence processes in place," Ponemon said in the report. "When a cyberattack or other security incident occurs, CISOs and their security teams must be able to explain the details of the incident to senior management, often without being given the time to gather the necessary intelligence to provide an accurate assessment of the problem."