SlideShare a Scribd company logo
1 of 18
Download to read offline
Research Insights
Paper
Status Quo Creates Security Risk:
The State of Incident Response
By Jon Oltsik, Senior Principal Analyst
February 2016
This ESG Research Insights Paper was commissioned by ServiceNow
and is distributed under license from ESG.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 2
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Contents
Executive Summary ......................................................................................................................................3
Situational Analysis of Incident Response....................................................................................................4
IR Issues and Challenges...............................................................................................................................6
IR Efficiency Needs Improvement ..............................................................................................................11
Next Steps...................................................................................................................................................14
The Bigger Truth .........................................................................................................................................16
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The
Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are
subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of
this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the
express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and,
if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 3
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Executive Summary
In late 2015 and early 2016, the Enterprise Strategy Group (ESG) conducted a research survey of 184 IT and
cybersecurity professionals with knowledge of, responsibility for, or day-to-day operational oversight of incident
response processes and technologies at their organizations. Survey respondents were also required to spend at
least 25% of their time on incident response processes and technologies on a daily basis.
Survey respondents were located in North America and came from organizations ranging in size: 19% of survey
respondents worked at organizations with 1,000 to 4,999 employees, 36% worked at organizations with 5,000 to
9,999 employees, 21% worked at organizations with 10,000 to 19,999 employees, and 24% worked at organizations
with 20,000 or more employees. Respondents represented numerous industry and government segments with the
largest participation coming from the manufacturing industry (18%), business services (16%), financial services
(15%), information technology (11%), and retail/wholesale (11%).
This research project was undertaken in order to evaluate the current practices and challenges associated with
incident response processes and technologies. Respondents were also asked to provide details on their
organizations’ future strategic plans intended for improving the efficacy and efficiency of IR activities. Based upon
the data collected as part of this project, this paper concludes:
 Incident response depends upon strong collaboration between cybersecurity and IT operations teams.
When asked to identify the most important factors for incident response excellence, 31% of survey
respondents pointed to security and IT tools integration while 24% said strong collaboration between
cybersecurity and IT operations teams. Furthermore, 70% of organizations say the incident response
processes are tightly aligned with IT operations frameworks and guidelines like COBIT, ITIL, and NIST. When
it comes to incident response quality, cybersecurity professionals believe there must be a clear symbiotic
relationship between cybersecurity and IT teams.
 Many organizations identify organizational challenges. While survey respondents were quick to point to
the need for cybersecurity and IT collaboration, many say that their organizations have challenges in these
areas. One-third (33%) of organizations say they are challenged in coordinating IR activities between
cybersecurity and IT operations teams, while 30% claim that they find monitoring incident response
processes from end-to-end (i.e., through detection, investigations, ticketing, and response) especially
challenging.
 IR is fraught with manual processes. When asked if their organization’s incident response efficiency and
effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity
professionals surveyed responded, “yes.” This is a real problem since 22% of organizations find it
challenging to keep up with the volume of security alerts. As security alert volume inevitably increases over
time, manual process bottlenecks will greatly impact large organizations’ abilities to scale IR processes.
 CISOs are adopting IR automation and orchestration to address current problems. Over 90% of
organizations are doing technical integration or deploying new technologies intended to help them
automate and orchestrate IR processes. Survey respondents say that their organizations are embracing IR
automation and orchestration to improve detection/response times, improve collaboration between
cybersecurity and IT teams, and allow them to automate simple remediation tasks.
 Enterprises have aggressive IR plans. A vast majority (88%) of organizations plan to increase spending on
incident response over the next two years. In addition to budget growth, 47% of organizations plan to
improve the alignment of incident response and IT governance processes, 42% want to consolidate incident
response personnel and tools into a common location, 39% plan to create a formal CERT, and 34% intend to
provide more IR training to cybersecurity and IT operations teams.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 4
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Situational Analysis of Incident Response
For the purposes of this research project, incident response was defined as follows:
An organized approach to addressing and managing the reaction to a discovered risk (i.e., threat or
vulnerability), security breach or cyber-attack. The goal of incident response is to quickly detect and
remediate all aspects of any type of security incident in a way that limits damage, reduces recovery time,
and minimizes costs.
Based upon this definition, survey respondents were asked to identify the most important factors that lead to
incident response excellence (see Figure 1). Cybersecurity professionals point to many things including:
 Security and IT tool integration. Nearly one-third (31%) of cybersecurity professionals recognize the holistic
nature of incident response that spans across infosec and IT operations teams. Therefore, survey
respondents believe that IR excellence must be anchored by strong interoperability and a common view
across all cybersecurity and ITSM technology components. Security and IT tool integration can allow
cybersecurity and IT operations to work together seamlessly to detect and respond to security events in an
efficient manner.
 The ability to know whether a security incident impacts a critical system. All security incidents are not
created equally. Some can impact a low-priority user PC while others take aim at business-critical
applications and databases. More than one-fourth (28%) of cybersecurity professionals believe that true IR
excellence must be based upon the ability to distinguish between pedestrian events and those that could
disrupt business operations or seek to steal sensitive intellectual property (IP), leading to a devastating data
breach.
 Strong collaboration between the incident response and IT operations teams. Aside from technology
integration alone, 24% of survey respondents claim that IR excellence depends upon strong collaboration
between incident response and IT operations teams. When security analysts identify an issue on IT ticketing
systems, they need the IT operations team to work in concert with them to prioritize the event, quarantine
systems, and take immediate remediation actions.
On a similar train of thought, 18% of cybersecurity professionals believe that IR excellence includes the ability to
quickly classify and prioritize security incidents. This is certainly associated with technology integration and
cooperative processes.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 5
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 1. Important Factors for Incident Response Excellence
Source: Enterprise Strategy Group, 2016.
Since IR excellence depends upon a foundation of close collaboration between cybersecurity and IT operations, it is
no surprise that 70% of organizations say that incident response is tightly aligned with IT governance frameworks
and guidelines (see Figure 2).
This may be a positive sign for incident response. Many enterprise organizations have years of experience and
millions of dollars invested in IT operations frameworks like COBIT, ISO 20000, ITIL, and the Microsoft Operations
Framework (MOF) in order to systematize IT processes like configuration management, change management, and
service management. Alternatively, incident response is often managed more informally by key individuals using
their own methodologies. ESG believes that tight integration could force IR processes to adhere to the discipline
and rigor applied to IT service management. This could then lead to improvements in IR productivity, efficacy, and
efficiency.
9%
10%
12%
13%
14%
15%
16%
17%
17%
18%
18%
24%
25%
26%
28%
31%
Open source tools
A documented formal incident response processes that is
followed by the organization and regularly tested
The ability to enrich individual events with other
internal/external data
Implementing defined IR processes inside a workflow /
ticketing tool”
External threat intelligence feeds that identify “in-the-
wild’ malicious activities
Continuous monitoring of device, network, and user
behavior
Security analysts’ skills and experience
Well-tuned threat detection tools
Anomaly detection technologies
The ability to quickly classify and prioritize critical
incidents
Incident response participation by non-IT groups such as
executive management, legal, HR, PR, etc.
Strong collaboration and cooperation between the
incident response team and IT operations teams
SIEM tools that collect and correlate logs and events
Security tool integration
The ability to understand whether a security incident
impacts a critical IT asset
Security and IT tool integration
In your opinion, which of the following factors are most important for incident response
excellence? (Percent of respondents, N=184, three responses accepted)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 6
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 2. Alignment Between Cybersecurity and IT Frameworks and Guidelines
Source: Enterprise Strategy Group, 2016.
IR Issues and Challenges
Cybersecurity professionals believe that technology integration, collaboration between cybersecurity and IT
operations, and tight alignment between cybersecurity and IT operations frameworks are important components
for their incident response performance. Unfortunately, security professionals admit to one or several problems in
these and other IR areas. For example (see Figure 3):
 Seventy-two percent of survey respondents “strongly agree” or “agree” that IR processes tend to be
informal and reliant on things like spreadsheets, open source tools, and the knowledge and experience of
individuals. Additionally, 75% believe that IR processes can be disrupted if key individuals are unavailable.
So in spite of the fact that organizations tightly integrate cybersecurity processes with IT operations
frameworks and guidelines, IR remains somewhat undisciplined and haphazard. The impact of these issues
tends to increase as the volume of systems on the network, network traffic, and security alerts escalate.
 Sixty-nine percent of survey respondents “strongly agree” or “agree” that it can be difficult to enrich data
to get a more holistic understanding of security alerts and/or cyber-attacks. In incident response, data
enrichment means combining data sources for a more complete picture. For example, a security analyst
might want to enrich data from a network anti-malware sandbox with data from endpoint forensics tools,
threat intelligence feeds, and IT asset data from a CMDB. This can be difficult as it is often based on a series
of manual and time-consuming processes. This is not only inefficient but also adds to the dwell time for
cyber-attacks.
 Sixty-one percent of survey respondents “strongly agree” or “agree” that there is some friction between
the information security and IT operations teams at their organizations. Based upon the data presented
previously in this paper, cybersecurity professionals clearly believe that IR process quality depends upon
Tightly aligned - My
organization’s
cybersecurity policies
and processes are
based upon the
stipulations and
recommendations of
one or several IT
frameworks/guidelines,
70%
Somewhat aligned - My
organization’s
cybersecurity policies
and processes are
based upon some but
not all of the
stipulations and
recommendations of
one or several IT
frameworks/guidelines,
29%
Not very aligned - My
organization takes the
stipulations and
recommendations of
one or several IT
frameworks/guideline
s into consideration
but they are not an
essential part of our
cybersecurity policies
and processes, 1%
You indicated that your organization uses one or several IT governance frameworks/guidelines. In
your opinion, how closely aligned are your organization’s cybersecurity policies and processes with
policies and processes stipulated in these IT frameworks/guidelines? (Percent of respondents,
N=182)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 7
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
sound communications and collaboration between cybersecurity and IT operations teams. Unfortunately,
these relationships can be strained—61% agree that friction exists between these groups. This friction is
often experienced during the handoff for system remediation from SOC teams to IT operations, elongating
timeframes, increasing dwell time for malware, and increasing IT risk. This may be why 62% of survey
respondents agree that incident response processes often take longer than they should.
It is also worth noting that 63% of survey respondents agree with the statement, “Incident response has become
more difficult over the past two years.” Rather than improving, it is safe to assume then that many of these issues
continue to get worse over time.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 8
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 3. Cybersecurity Professionals’ Opinions on Incident Response at Their Organizations
Source: Enterprise Strategy Group, 2016.
27%
29%
29%
29%
30%
30%
31%
31%
32%
32%
42%
42%
33%
34%
34%
42%
49%
41%
44%
29%
33%
44%
16%
19%
18%
17%
10%
14%
15%
16%
17%
15%
10%
9%
15%
15%
14%
14%
3%
10%
8%
11%
11%
3%
6%
4%
3%
6%
4%
3%
3%
1%
11%
9%
1%
0% 20% 40% 60% 80% 100%
It can be difficult to enrich incident data to get a more
holistic understanding of security events and/or cyber-
attacks
Once incident response remediation is handed off to the
IT team, it can be difficult to monitor progress
Incident response has become more difficult over the
past two years
It can be difficult to assess the overall security posture of
my organization
Incident response processes often take longer than they
should
Our incident response process would benefit from
additional access to IT data, but relationship and/or tool
issues make this challenging
My organization’s incident response processes tend to
be informal and rely on things like spreadsheets, open
source tools, and the knowledge and experience of
individuals
My organization’s incident response processes can be
disrupted or take additional time if key individuals are
not available
There is friction in the relationship between the IT and
information security teams at my organization
My organization’s incident response metrics are
somewhat informal and vague
Monitoring incident response relies on a number of
tools and data repositories
Please indicate whether you agree or disagree with each of the following statements.
(Percent of respondents, N=184)
Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 9
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
ESG also asked cybersecurity professionals to identify specific incident response challenges at their organizations.
Survey respondents pointed to numerous problems such as (see Figure 4):
 Coordinating IR activities between cybersecurity and IT teams. This topped the list once again as one-
third of survey respondents’ view this as a challenge.
 Monitoring IR processes from end-to-end. Thirty percent of survey respondents find it challenging to
monitor end-to-end IR processes—from detection, through security investigations, to remediation and
problem closure. This is likely due to the lack of cybersecurity and IT operations tools integration as well as
friction between these two groups.
 Maintaining the right IR skills. Many aspects of IR require experienced security analysts who can conduct
forensic investigations, dissect malware, or fine-tune security controls to prevent sophisticated attacks,
which is why 28% of organizations are challenged with maintaining the right IR skills. Unfortunately these
skills are in short supply. According to other ESG research, 46% of organizations claim to have a
“problematic shortage” of cybersecurity skills and 87% believe it is difficult to recruit and hire cybersecurity
talent.1
To maintain the right incident response skills, CISOs must hire and train junior security analysts and
invest in advanced training to keep senior SOC staff up to speed. This process requires time, money, and
constant diligence.
 Knowing when to get other groups involved. The ESG data indicates that 26% or respondents have trouble
knowing how and when to get groups like business managers, legal, and HR involved with IR processes. This
should be expected given that IR processes are often informal in nature but this issue can lead to real
problems. When the CERT discovers a data breach that resulted in the exfiltration of medical records and
customer data, organizational reputation, share price, and legal protection can depend upon the execution
of a well-tested plan that includes actions like alerting customers, working with law enforcement, and
communicating with the press. Clearly, these are NOT cybersecurity or IT operations tasks but they are
indeed essential to incident response.
 Keeping up with security alerts. Twenty-two percent of enterprises find it challenging to keep up with the
volume of security alerts they receive on a daily basis. Since this volume is only increasing, this should be
especially concerning to CISOs.
Finally, recall that 31% of cybersecurity professionals indicated that cybersecurity and IT operations tool integration
is a key factor for incident response excellence. Sadly, more than one-fourth (26%) report issues around technology
integration of various security technologies and controls.
1 Source: ESG Brief: Cybersecurity Skills Shortage: A State of Emergency, February 2016.
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 10
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 4. Incident Response Challenges
Source: Enterprise Strategy Group, 2016.
4%
16%
18%
18%
21%
22%
22%
23%
23%
23%
24%
24%
25%
26%
26%
28%
28%
30%
33%
We have not experienced any challenges
Normalizing all data needed for incident response
Incident response depends upon too many manual processes
Incident response depends upon too many security tools
Security investigations take too much time to execute
Keeping up with the volume of security alerts
Keeping up with the volume of external threat intelligence
Incident response processes are too informal and really depend
upon the skills and techniques of a few key employees
Incident response is based upon too many tedious, repetitive and
time-consuming tasks
My organization doesn’t have an adequately sized security staff
necessary to keep up with incident response
Security tools used for incident response are not well integrated
Recording and tracking incidents throughout their lifecycle from
creation to close
There is a significant skills gap between junior and senior incident
responders that forces senior incident responders to do most of the
work
Issues around technology integration of various security tools and
controls
Knowing how and when to get groups like business managers, legal,
and HR involved in incident response processes
Keeping up with software vulnerabilities and subsequent patch
management activities
Maintaining the right skills needed for incident response
Monitoring incident response processes from end-to-end to ensure
that all incidents are adequately addressed and closed
Coordinating incident response activities between the cybersecurity
and IT team
In your opinion, what are the biggest incident response challenges at your organization?
(Percent of respondents, N=184, multiple responses accepted)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 11
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Aside from the challenges described above, cybersecurity professionals also admit that manual processes get in the
way of IR efficiency and effectiveness (see Figure 5). This alone creates an alarming scenario for the future as
manual processes can’t possibly keep up with the growing volume of security alerts or help CISOs improve
collaboration between cybersecurity and IT operations teams.
Figure 5. Manual Incident Response Processes Hinder Efficiency and Effectiveness
Source: Enterprise Strategy Group, 2016.
IR Efficiency Needs Improvement
The ESG data reveals that incident response processes are frequently characterized by manual processes, a lack of
technology integration, and friction between SOC and IT operations teams. Concerned CISOs realize that they need
to address these issues as soon as possible in order to accelerate and improve IR efficiency while optimizing the
productivity of their personnel. Given the global cybersecurity skills shortage, many security executives have come
to understand that the best way forward is to formalize, automate, and orchestrate IR processes. Many
organizations are doing exactly this—45% of organizations are automating and orchestrating IR processes
extensively while another 47% are doing so somewhat (see Figure 6).
Yes, significantly, 52%
Yes, somewhat, 41%
No, 7%
Don’t know, 1%
Do you believe that your organization’s incident response efficiency and effectiveness
are limited by the time and effort required for manual processes? (Percent of
respondents, N=184)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 12
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 6. Enterprise Organizations Are Moving Toward IR Automation and Orchestration
Source: Enterprise Strategy Group, 2016.
Why do so many organizations want to automate and orchestrate their IR processes? Cybersecurity professionals
cite several reasons including the following (see Figure 7):
 Forty-five percent want to use IR automation and orchestration to improve collaboration between
cybersecurity and IT operations groups. In this case, automation/orchestration can add structure to cross-
group communications and help alleviate process bottlenecks when remediation tasks are handed off from
security analysts to IT operations teams.
 Thirty-eight percent believe that IR automation/orchestration can help them improve efficiency of IT
operations tasks like updating antivirus signatures or installing software patches. Enterprises have no
shortage of these types of day-to-day tasks with countless manual steps involved. Automation/
orchestration can help them save time, improve the time it takes for end-to-end workflows, and bolster
productivity.
 Thirty-seven percent want to use IR automation/orchestration to help them prioritize incidents. In other
words, IR automation and orchestration can help them deal with security alert volume, enrich data
Yes, extensively (i.e.,
technical steps used for
incident response
process automation
are being used
extensively in a
production
environment today and
there are ongoing
plans to continue this
effort), 45%
Yes, somewhat (i.e.,
technical steps used for
incident response
process automation
are starting to be used
in a production
environment today and
there are ongoing
plans to continue this
effort), 47%
No, but we plan to
perform technical
integration, and/or
deploy new
technologies intended
to help automate and
orchestrate incident
response processes
within the next 12 to
24 months, 5%
No, but we are
interested in
performing technical
integration, and/or
deploying new
technologies intended
to help automate and
orchestrate incident
response processes
within the next 12 to
24 months, 1%
No and we have no
plans or interest in
performing technical
integration, and/or
deploying new
technologies intended
to help automate and
orchestrate incident
response processes at
this time, 1%
Don’t
know, 1%
Has your organization done any technical integration and/or deployed any new
technologies intended to help automate and orchestrate incident response processes?
(Percent of respondents, N=184)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 13
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
elements, and make decisions on which security incidents need immediate attention and which get a lower
ranking.
 Thirty-six percent want to use IR automation and orchestration to help them decrease the number of hours
needed for incident response processes. CISOs clearly realize that the combination of increasing security
alerts and a global cybersecurity skills shortage puts them in a difficult position. They see IR automation/
orchestration as their best hope for increasing productivity in order to keep up.
Figure 7. Why Organizations Are Automating and Orchestrating Incident Response Processes
Source: Enterprise Strategy Group, 2016.
As far as automation and orchestration priorities, 59% want to start by streamlining incident response operations
with the goal of making the IR staff more effective and efficient (see Figure 8). In other words, CISOs believe they
need to start by improving collaboration between CERTs and IT operations and making IR processes more like the
formal methodologies they employ using IT operations frameworks like COBIT, ISO, ITIL, and NIST.
36%
36%
36%
37%
37%
38%
38%
45%
48%
Allow us to automate repetitive and time-consuming
tasks
Decrease the number of hours required for incident
response processes
Increase the number of security alerts we can follow up
on
Automation/orchestration can help us prioritize
incidents
Automation/orchestration can help us collect, process,
and enrich security data in a more efficient manner
Automation/orchestration can help us improve the
efficiency of IT operations tasks like updating antivirus
signatures or installing software patches
Allow us to automate simple remediation actions
Improve collaboration between cybersecurity and IT
operations groups
Improve our ability to detect and respond to incidents in
a timely manner
You indicated that your organization has taken actions to automate and/or orchestrate incident
response processes or is planning to do so or interested in doing so in the future. Why has or will
your organization do this? (Percent of respondents, N=182, multiple responses accepted)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 14
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 8. Incident Response Automation and Orchestration Priorities
Source: Enterprise Strategy Group, 2016.
Next Steps
Over the next two years, 46% of organizations say that incident response spending will increase significantly while
42% claim that IR spending will increase somewhat during this timeframe. This indicates that most enterprise CISOs
believe they need to invest in people, processes, and technologies to improve IR efficacy, efficiency, and
productivity.
In addition to budget increases, cybersecurity professionals described a number of actions their organizations will
take as part of their incident response strategy in the future, including (see Figure 9):
 Forty-seven percent plan to improve the alignment of incident response and IT governance processes.
Recall that 70% of organizations say that their cybersecurity processes are tightly aligned with IT operations
frameworks and guidelines. While this represents a majority, it appears that CISOs and CIOs want to make
these relationships even tighter with a likely goal of improving cross-organizational collaboration,
formalizing IR processes, and defining the right metrics to track for continuous improvement. This objective
is further evidenced by the fact that 42% of organizations want to develop formal and documented IR
processes.
 Forty-two percent plan to consolidate existing IR personnel and technologies into a common location as a
means for improving communication and collaboration related to incident response processes and
operations. Note that 39% want to create a CERT as well. In both cases, organizations want to build more
structured incident response teams to address many of their current organizational challenges.
 Thirty-four percent plan to provide IR training to cybersecurity and IT operations staff. This effort is meant
to keep up to date with IR skills and get the IT operations staff more involved with end-to-end IR processes.
ESG sees this as complementary to improving the alignment of IR processes with IT governance.
Streamlining incident
response operations
with the goal of
making the IR staff
more efficient and
effective, 59%
Automating incident
response remediation
tasks, 39%
Don’t know, 2%
In your opinion, which is the higher priority for incident response automation/orchestration at
your organization? (Percent of respondents, N=184)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 15
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 9. Strategic Cybersecurity Plans for Incident Response
Source: Enterprise Strategy Group, 2016.
1%
24%
24%
30%
33%
34%
34%
39%
39%
42%
47%
None of the above
Outsource aspects of incident response to third-party
managed security service providers
Outsource all incident response processes and
responsibilities to third-party managed security service
providers
Develop a formal documented incident response process
Work with professional services organizations to
develop formal incident response processes
Test our incident response processes more often
Provide incident response training for cybersecurity and
IT operations staff
Create a new cybersecurity group that acts as a
Computer Emergency Response Team (CERT) and is
given responsibility/oversight for all incident response
processes and operations
Hire more incident response personnel
Consolidate existing incident response personnel and
technologies into a common location as a means for
improving communication and collaboration on incident
response processes and operations
Improve the alignment of incident response processes
and IT governance processes
As part of its cybersecurity strategy, will your organization take any of the following actions
with regards to incident response over the next two years? (Percent of respondents, N=184,
multiple responses accepted)
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 16
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
The Bigger Truth
The ESG data presented in this research report is something of a paradox. Cybersecurity professionals understand
that incident response depends upon technology integration, cross-organization collaboration, and the ability to
detect and prioritize security incidents, yet these are the very areas where they struggle today. This means that as
security alert volume increases, enterprises will find themselves falling further behind, increasing cyber-attack dwell
time and IT risk.
Enterprises seem to comprehend the seriousness of this situation as many organizations are increasing IR budgets,
training personnel, and collocating IR tools and personnel to create a dedicated CERT. In addition, the vast majority
of organizations are also automating and orchestrating incident response processes today or are planning to do so
in the near future.
As organizations proceed with IR automation and orchestration, CISOs should study the progress made in IT service
management over the last decade as there are many best practices and lessons learned that can be applied to
cybersecurity as well. For example, CISOs should:
 Focus efforts around high-value IT assets. IR process improvement should ultimately culminate on better
visibility and accelerated response time toward high-value IT assets like critical servers, applications, and
sensitive data. CISOs should enlist the help of CIOs and IT operations to find and specify these resources,
identify all data sources used for monitoring and threat detection, establish hardened configuration, and
create formal escalation processes across cybersecurity, IT, and the business at large. Everyone should
know how to identify problems, roles and responsibilities, and next steps with centralized communication
and workflows with all other constituencies as IR tasks proceed.
 Map out IR processes from end-to-end. This involves assessing and documenting every IR task and step
regardless of how miniscule each one seems. Once these processes are documented, it’s important for
CISOs to pass these runbooks by several senior members of the cybersecurity team to see if anything has
been missed. Additionally, CISOs should review documented IR processes with IT operations to identify
where ITSM tools and methodologies can be added to help with incident detection or response. Armed
with comprehensive and documented IR process maps, CISOs can then categorize where automation and
orchestration can be applied to eliminate manual steps and deliver immediate value. These process maps
can also be used to free up time for the security staff to work on high-priority needs.
 Provide a common dashboard for cybersecurity and IT operations teams. One of the big issues identified
in this research project was the lack of integration between cybersecurity and IT operations tools, so
addressing this issue should be a high priority. In the short term, CISOs will want to align workflows to data
sources and use product APIs for data access and exportation. This will give the SOC team the ability to
pivot from one data point to another without the need to go through individual tools management
systems. CISOs may opt to centralize IR process monitoring in the future by creating common reports and
dashboards for viewing by CERT and IT operations teams as well. A common view can certainly help
ameliorate today’s cross-organizational friction.
 Define and track IR metrics. In the struggle to keep up with the volume of security alerts, many
organizations aren’t doing enough to actually define and track IR metrics. Automation and orchestration
can certainly help here. Since IR relies on a foundation of people and process, CISOs should start with key
performance indicators focused on boosting productivity of the IR and IT operations staff, such as the
number of incidents investigated by junior analysts, the number of investigators per analyst, response time
for emergency actions, and response time for lower priority events. The goal should be overall
effectiveness balanced against productivity. It is also important to establish internal service level metrics to
set and track IR goals and objectives.
 Make sure IR automation and orchestration support regulatory compliance and IT audits. Aside from IR
alone, automation and orchestration should also be used for overall risk management—especially as it
Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 17
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
relates to regulatory compliance. This can be as simple as automating data collection for day-to-day
reporting and should also support automating post-incident response reporting.
20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com

More Related Content

What's hot

Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
vision 2020 testimony
vision 2020 testimonyvision 2020 testimony
vision 2020 testimonyRob Arnold
 
Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)PwC France
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey  SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?AGILLY
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIvonne Yeste
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information SecurityCompTIA
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity SurveyAdobe
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment ReportBelinda Edwards
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 

What's hot (20)

Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
vision 2020 testimony
vision 2020 testimonyvision 2020 testimony
vision 2020 testimony
 
Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey  SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information Security
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security Threats
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 

Similar to The state of incident response

2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summarypatmisasi
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxLeilaniPoolsy
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
BUSINESS IMPACT ANALYSIS For the project work, we .docx
BUSINESS IMPACT ANALYSIS             For the project work, we .docxBUSINESS IMPACT ANALYSIS             For the project work, we .docx
BUSINESS IMPACT ANALYSIS For the project work, we .docxfelicidaddinwoodie
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSolarWinds
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
 
SANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docxSANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docxanhlodge
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryAccenture Insurance
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdfErickaDiaz24
 
The State of IT Security for 2019
The State of IT Security for 2019The State of IT Security for 2019
The State of IT Security for 2019Precisely
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 

Similar to The state of incident response (20)

2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docx
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
BUSINESS IMPACT ANALYSIS For the project work, we .docx
BUSINESS IMPACT ANALYSIS             For the project work, we .docxBUSINESS IMPACT ANALYSIS             For the project work, we .docx
BUSINESS IMPACT ANALYSIS For the project work, we .docx
 
IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity Journey
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data Risk
 
SANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docxSANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docx
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf
 
The State of IT Security for 2019
The State of IT Security for 2019The State of IT Security for 2019
The State of IT Security for 2019
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
2010 GISS EY
2010 GISS EY2010 GISS EY
2010 GISS EY
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 

More from Abhishek Sood

The future of enterprise management
The future of enterprise management The future of enterprise management
The future of enterprise management Abhishek Sood
 
Gain new visibility in your DevOps team
 Gain new visibility in your DevOps team Gain new visibility in your DevOps team
Gain new visibility in your DevOps teamAbhishek Sood
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metricsAbhishek Sood
 
Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Azure IaaS: Cost savings, new revenue opportunities, and business benefits Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Azure IaaS: Cost savings, new revenue opportunities, and business benefits Abhishek Sood
 
3-part approach to turning IoT data into business power
 3-part approach to turning IoT data into business power 3-part approach to turning IoT data into business power
3-part approach to turning IoT data into business powerAbhishek Sood
 
How a bad HR dept. can lose $9M
 How a bad HR dept. can lose $9M How a bad HR dept. can lose $9M
How a bad HR dept. can lose $9MAbhishek Sood
 
Big news coming for DevOps: What you need to know
 Big news coming for DevOps: What you need to know Big news coming for DevOps: What you need to know
Big news coming for DevOps: What you need to knowAbhishek Sood
 
Microservices best practices: Integration platforms, APIs, and more
 Microservices best practices: Integration platforms, APIs, and more Microservices best practices: Integration platforms, APIs, and more
Microservices best practices: Integration platforms, APIs, and moreAbhishek Sood
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Why adopt more than one cloud service?
 Why adopt more than one cloud service? Why adopt more than one cloud service?
Why adopt more than one cloud service?Abhishek Sood
 
Cloud Application Security --Symantec
 Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --SymantecAbhishek Sood
 
How to integrate risk into your compliance-only approach
 How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
DLP 101: Help identify and plug information leaks
 DLP 101: Help identify and plug information leaks DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaksAbhishek Sood
 
IoT: 3 keys to handling the oncoming barrage of use cases
 IoT: 3 keys to handling the oncoming barrage of use cases IoT: 3 keys to handling the oncoming barrage of use cases
IoT: 3 keys to handling the oncoming barrage of use casesAbhishek Sood
 
How 3 trends are shaping analytics and data management
How 3 trends are shaping analytics and data management How 3 trends are shaping analytics and data management
How 3 trends are shaping analytics and data management Abhishek Sood
 
API-led connectivity: How to leverage reusable microservices
 API-led connectivity: How to leverage reusable microservices API-led connectivity: How to leverage reusable microservices
API-led connectivity: How to leverage reusable microservicesAbhishek Sood
 
How to create a secure high performance storage and compute infrastructure
 How to create a secure high performance storage and compute infrastructure How to create a secure high performance storage and compute infrastructure
How to create a secure high performance storage and compute infrastructureAbhishek Sood
 
Enterprise software usability and digital transformation
Enterprise software usability and digital transformationEnterprise software usability and digital transformation
Enterprise software usability and digital transformationAbhishek Sood
 
Transforming for digital customers across 6 key industries
 Transforming for digital customers across 6 key industries Transforming for digital customers across 6 key industries
Transforming for digital customers across 6 key industriesAbhishek Sood
 
Authentication best practices: Experts weigh in
Authentication best practices: Experts weigh inAuthentication best practices: Experts weigh in
Authentication best practices: Experts weigh inAbhishek Sood
 

More from Abhishek Sood (20)

The future of enterprise management
The future of enterprise management The future of enterprise management
The future of enterprise management
 
Gain new visibility in your DevOps team
 Gain new visibility in your DevOps team Gain new visibility in your DevOps team
Gain new visibility in your DevOps team
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Azure IaaS: Cost savings, new revenue opportunities, and business benefits Azure IaaS: Cost savings, new revenue opportunities, and business benefits
Azure IaaS: Cost savings, new revenue opportunities, and business benefits
 
3-part approach to turning IoT data into business power
 3-part approach to turning IoT data into business power 3-part approach to turning IoT data into business power
3-part approach to turning IoT data into business power
 
How a bad HR dept. can lose $9M
 How a bad HR dept. can lose $9M How a bad HR dept. can lose $9M
How a bad HR dept. can lose $9M
 
Big news coming for DevOps: What you need to know
 Big news coming for DevOps: What you need to know Big news coming for DevOps: What you need to know
Big news coming for DevOps: What you need to know
 
Microservices best practices: Integration platforms, APIs, and more
 Microservices best practices: Integration platforms, APIs, and more Microservices best practices: Integration platforms, APIs, and more
Microservices best practices: Integration platforms, APIs, and more
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Why adopt more than one cloud service?
 Why adopt more than one cloud service? Why adopt more than one cloud service?
Why adopt more than one cloud service?
 
Cloud Application Security --Symantec
 Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
How to integrate risk into your compliance-only approach
 How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach
 
DLP 101: Help identify and plug information leaks
 DLP 101: Help identify and plug information leaks DLP 101: Help identify and plug information leaks
DLP 101: Help identify and plug information leaks
 
IoT: 3 keys to handling the oncoming barrage of use cases
 IoT: 3 keys to handling the oncoming barrage of use cases IoT: 3 keys to handling the oncoming barrage of use cases
IoT: 3 keys to handling the oncoming barrage of use cases
 
How 3 trends are shaping analytics and data management
How 3 trends are shaping analytics and data management How 3 trends are shaping analytics and data management
How 3 trends are shaping analytics and data management
 
API-led connectivity: How to leverage reusable microservices
 API-led connectivity: How to leverage reusable microservices API-led connectivity: How to leverage reusable microservices
API-led connectivity: How to leverage reusable microservices
 
How to create a secure high performance storage and compute infrastructure
 How to create a secure high performance storage and compute infrastructure How to create a secure high performance storage and compute infrastructure
How to create a secure high performance storage and compute infrastructure
 
Enterprise software usability and digital transformation
Enterprise software usability and digital transformationEnterprise software usability and digital transformation
Enterprise software usability and digital transformation
 
Transforming for digital customers across 6 key industries
 Transforming for digital customers across 6 key industries Transforming for digital customers across 6 key industries
Transforming for digital customers across 6 key industries
 
Authentication best practices: Experts weigh in
Authentication best practices: Experts weigh inAuthentication best practices: Experts weigh in
Authentication best practices: Experts weigh in
 

Recently uploaded

Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoUXDXConf
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 

Recently uploaded (20)

Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 

The state of incident response

  • 1. Research Insights Paper Status Quo Creates Security Risk: The State of Incident Response By Jon Oltsik, Senior Principal Analyst February 2016 This ESG Research Insights Paper was commissioned by ServiceNow and is distributed under license from ESG. © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
  • 2. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 2 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Contents Executive Summary ......................................................................................................................................3 Situational Analysis of Incident Response....................................................................................................4 IR Issues and Challenges...............................................................................................................................6 IR Efficiency Needs Improvement ..............................................................................................................11 Next Steps...................................................................................................................................................14 The Bigger Truth .........................................................................................................................................16 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
  • 3. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 3 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Executive Summary In late 2015 and early 2016, the Enterprise Strategy Group (ESG) conducted a research survey of 184 IT and cybersecurity professionals with knowledge of, responsibility for, or day-to-day operational oversight of incident response processes and technologies at their organizations. Survey respondents were also required to spend at least 25% of their time on incident response processes and technologies on a daily basis. Survey respondents were located in North America and came from organizations ranging in size: 19% of survey respondents worked at organizations with 1,000 to 4,999 employees, 36% worked at organizations with 5,000 to 9,999 employees, 21% worked at organizations with 10,000 to 19,999 employees, and 24% worked at organizations with 20,000 or more employees. Respondents represented numerous industry and government segments with the largest participation coming from the manufacturing industry (18%), business services (16%), financial services (15%), information technology (11%), and retail/wholesale (11%). This research project was undertaken in order to evaluate the current practices and challenges associated with incident response processes and technologies. Respondents were also asked to provide details on their organizations’ future strategic plans intended for improving the efficacy and efficiency of IR activities. Based upon the data collected as part of this project, this paper concludes:  Incident response depends upon strong collaboration between cybersecurity and IT operations teams. When asked to identify the most important factors for incident response excellence, 31% of survey respondents pointed to security and IT tools integration while 24% said strong collaboration between cybersecurity and IT operations teams. Furthermore, 70% of organizations say the incident response processes are tightly aligned with IT operations frameworks and guidelines like COBIT, ITIL, and NIST. When it comes to incident response quality, cybersecurity professionals believe there must be a clear symbiotic relationship between cybersecurity and IT teams.  Many organizations identify organizational challenges. While survey respondents were quick to point to the need for cybersecurity and IT collaboration, many say that their organizations have challenges in these areas. One-third (33%) of organizations say they are challenged in coordinating IR activities between cybersecurity and IT operations teams, while 30% claim that they find monitoring incident response processes from end-to-end (i.e., through detection, investigations, ticketing, and response) especially challenging.  IR is fraught with manual processes. When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes.” This is a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts. As security alert volume inevitably increases over time, manual process bottlenecks will greatly impact large organizations’ abilities to scale IR processes.  CISOs are adopting IR automation and orchestration to address current problems. Over 90% of organizations are doing technical integration or deploying new technologies intended to help them automate and orchestrate IR processes. Survey respondents say that their organizations are embracing IR automation and orchestration to improve detection/response times, improve collaboration between cybersecurity and IT teams, and allow them to automate simple remediation tasks.  Enterprises have aggressive IR plans. A vast majority (88%) of organizations plan to increase spending on incident response over the next two years. In addition to budget growth, 47% of organizations plan to improve the alignment of incident response and IT governance processes, 42% want to consolidate incident response personnel and tools into a common location, 39% plan to create a formal CERT, and 34% intend to provide more IR training to cybersecurity and IT operations teams.
  • 4. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 4 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Situational Analysis of Incident Response For the purposes of this research project, incident response was defined as follows: An organized approach to addressing and managing the reaction to a discovered risk (i.e., threat or vulnerability), security breach or cyber-attack. The goal of incident response is to quickly detect and remediate all aspects of any type of security incident in a way that limits damage, reduces recovery time, and minimizes costs. Based upon this definition, survey respondents were asked to identify the most important factors that lead to incident response excellence (see Figure 1). Cybersecurity professionals point to many things including:  Security and IT tool integration. Nearly one-third (31%) of cybersecurity professionals recognize the holistic nature of incident response that spans across infosec and IT operations teams. Therefore, survey respondents believe that IR excellence must be anchored by strong interoperability and a common view across all cybersecurity and ITSM technology components. Security and IT tool integration can allow cybersecurity and IT operations to work together seamlessly to detect and respond to security events in an efficient manner.  The ability to know whether a security incident impacts a critical system. All security incidents are not created equally. Some can impact a low-priority user PC while others take aim at business-critical applications and databases. More than one-fourth (28%) of cybersecurity professionals believe that true IR excellence must be based upon the ability to distinguish between pedestrian events and those that could disrupt business operations or seek to steal sensitive intellectual property (IP), leading to a devastating data breach.  Strong collaboration between the incident response and IT operations teams. Aside from technology integration alone, 24% of survey respondents claim that IR excellence depends upon strong collaboration between incident response and IT operations teams. When security analysts identify an issue on IT ticketing systems, they need the IT operations team to work in concert with them to prioritize the event, quarantine systems, and take immediate remediation actions. On a similar train of thought, 18% of cybersecurity professionals believe that IR excellence includes the ability to quickly classify and prioritize security incidents. This is certainly associated with technology integration and cooperative processes.
  • 5. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 5 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 1. Important Factors for Incident Response Excellence Source: Enterprise Strategy Group, 2016. Since IR excellence depends upon a foundation of close collaboration between cybersecurity and IT operations, it is no surprise that 70% of organizations say that incident response is tightly aligned with IT governance frameworks and guidelines (see Figure 2). This may be a positive sign for incident response. Many enterprise organizations have years of experience and millions of dollars invested in IT operations frameworks like COBIT, ISO 20000, ITIL, and the Microsoft Operations Framework (MOF) in order to systematize IT processes like configuration management, change management, and service management. Alternatively, incident response is often managed more informally by key individuals using their own methodologies. ESG believes that tight integration could force IR processes to adhere to the discipline and rigor applied to IT service management. This could then lead to improvements in IR productivity, efficacy, and efficiency. 9% 10% 12% 13% 14% 15% 16% 17% 17% 18% 18% 24% 25% 26% 28% 31% Open source tools A documented formal incident response processes that is followed by the organization and regularly tested The ability to enrich individual events with other internal/external data Implementing defined IR processes inside a workflow / ticketing tool” External threat intelligence feeds that identify “in-the- wild’ malicious activities Continuous monitoring of device, network, and user behavior Security analysts’ skills and experience Well-tuned threat detection tools Anomaly detection technologies The ability to quickly classify and prioritize critical incidents Incident response participation by non-IT groups such as executive management, legal, HR, PR, etc. Strong collaboration and cooperation between the incident response team and IT operations teams SIEM tools that collect and correlate logs and events Security tool integration The ability to understand whether a security incident impacts a critical IT asset Security and IT tool integration In your opinion, which of the following factors are most important for incident response excellence? (Percent of respondents, N=184, three responses accepted)
  • 6. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 6 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 2. Alignment Between Cybersecurity and IT Frameworks and Guidelines Source: Enterprise Strategy Group, 2016. IR Issues and Challenges Cybersecurity professionals believe that technology integration, collaboration between cybersecurity and IT operations, and tight alignment between cybersecurity and IT operations frameworks are important components for their incident response performance. Unfortunately, security professionals admit to one or several problems in these and other IR areas. For example (see Figure 3):  Seventy-two percent of survey respondents “strongly agree” or “agree” that IR processes tend to be informal and reliant on things like spreadsheets, open source tools, and the knowledge and experience of individuals. Additionally, 75% believe that IR processes can be disrupted if key individuals are unavailable. So in spite of the fact that organizations tightly integrate cybersecurity processes with IT operations frameworks and guidelines, IR remains somewhat undisciplined and haphazard. The impact of these issues tends to increase as the volume of systems on the network, network traffic, and security alerts escalate.  Sixty-nine percent of survey respondents “strongly agree” or “agree” that it can be difficult to enrich data to get a more holistic understanding of security alerts and/or cyber-attacks. In incident response, data enrichment means combining data sources for a more complete picture. For example, a security analyst might want to enrich data from a network anti-malware sandbox with data from endpoint forensics tools, threat intelligence feeds, and IT asset data from a CMDB. This can be difficult as it is often based on a series of manual and time-consuming processes. This is not only inefficient but also adds to the dwell time for cyber-attacks.  Sixty-one percent of survey respondents “strongly agree” or “agree” that there is some friction between the information security and IT operations teams at their organizations. Based upon the data presented previously in this paper, cybersecurity professionals clearly believe that IR process quality depends upon Tightly aligned - My organization’s cybersecurity policies and processes are based upon the stipulations and recommendations of one or several IT frameworks/guidelines, 70% Somewhat aligned - My organization’s cybersecurity policies and processes are based upon some but not all of the stipulations and recommendations of one or several IT frameworks/guidelines, 29% Not very aligned - My organization takes the stipulations and recommendations of one or several IT frameworks/guideline s into consideration but they are not an essential part of our cybersecurity policies and processes, 1% You indicated that your organization uses one or several IT governance frameworks/guidelines. In your opinion, how closely aligned are your organization’s cybersecurity policies and processes with policies and processes stipulated in these IT frameworks/guidelines? (Percent of respondents, N=182)
  • 7. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 7 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. sound communications and collaboration between cybersecurity and IT operations teams. Unfortunately, these relationships can be strained—61% agree that friction exists between these groups. This friction is often experienced during the handoff for system remediation from SOC teams to IT operations, elongating timeframes, increasing dwell time for malware, and increasing IT risk. This may be why 62% of survey respondents agree that incident response processes often take longer than they should. It is also worth noting that 63% of survey respondents agree with the statement, “Incident response has become more difficult over the past two years.” Rather than improving, it is safe to assume then that many of these issues continue to get worse over time.
  • 8. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 8 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 3. Cybersecurity Professionals’ Opinions on Incident Response at Their Organizations Source: Enterprise Strategy Group, 2016. 27% 29% 29% 29% 30% 30% 31% 31% 32% 32% 42% 42% 33% 34% 34% 42% 49% 41% 44% 29% 33% 44% 16% 19% 18% 17% 10% 14% 15% 16% 17% 15% 10% 9% 15% 15% 14% 14% 3% 10% 8% 11% 11% 3% 6% 4% 3% 6% 4% 3% 3% 1% 11% 9% 1% 0% 20% 40% 60% 80% 100% It can be difficult to enrich incident data to get a more holistic understanding of security events and/or cyber- attacks Once incident response remediation is handed off to the IT team, it can be difficult to monitor progress Incident response has become more difficult over the past two years It can be difficult to assess the overall security posture of my organization Incident response processes often take longer than they should Our incident response process would benefit from additional access to IT data, but relationship and/or tool issues make this challenging My organization’s incident response processes tend to be informal and rely on things like spreadsheets, open source tools, and the knowledge and experience of individuals My organization’s incident response processes can be disrupted or take additional time if key individuals are not available There is friction in the relationship between the IT and information security teams at my organization My organization’s incident response metrics are somewhat informal and vague Monitoring incident response relies on a number of tools and data repositories Please indicate whether you agree or disagree with each of the following statements. (Percent of respondents, N=184) Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree
  • 9. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 9 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. ESG also asked cybersecurity professionals to identify specific incident response challenges at their organizations. Survey respondents pointed to numerous problems such as (see Figure 4):  Coordinating IR activities between cybersecurity and IT teams. This topped the list once again as one- third of survey respondents’ view this as a challenge.  Monitoring IR processes from end-to-end. Thirty percent of survey respondents find it challenging to monitor end-to-end IR processes—from detection, through security investigations, to remediation and problem closure. This is likely due to the lack of cybersecurity and IT operations tools integration as well as friction between these two groups.  Maintaining the right IR skills. Many aspects of IR require experienced security analysts who can conduct forensic investigations, dissect malware, or fine-tune security controls to prevent sophisticated attacks, which is why 28% of organizations are challenged with maintaining the right IR skills. Unfortunately these skills are in short supply. According to other ESG research, 46% of organizations claim to have a “problematic shortage” of cybersecurity skills and 87% believe it is difficult to recruit and hire cybersecurity talent.1 To maintain the right incident response skills, CISOs must hire and train junior security analysts and invest in advanced training to keep senior SOC staff up to speed. This process requires time, money, and constant diligence.  Knowing when to get other groups involved. The ESG data indicates that 26% or respondents have trouble knowing how and when to get groups like business managers, legal, and HR involved with IR processes. This should be expected given that IR processes are often informal in nature but this issue can lead to real problems. When the CERT discovers a data breach that resulted in the exfiltration of medical records and customer data, organizational reputation, share price, and legal protection can depend upon the execution of a well-tested plan that includes actions like alerting customers, working with law enforcement, and communicating with the press. Clearly, these are NOT cybersecurity or IT operations tasks but they are indeed essential to incident response.  Keeping up with security alerts. Twenty-two percent of enterprises find it challenging to keep up with the volume of security alerts they receive on a daily basis. Since this volume is only increasing, this should be especially concerning to CISOs. Finally, recall that 31% of cybersecurity professionals indicated that cybersecurity and IT operations tool integration is a key factor for incident response excellence. Sadly, more than one-fourth (26%) report issues around technology integration of various security technologies and controls. 1 Source: ESG Brief: Cybersecurity Skills Shortage: A State of Emergency, February 2016.
  • 10. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 10 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 4. Incident Response Challenges Source: Enterprise Strategy Group, 2016. 4% 16% 18% 18% 21% 22% 22% 23% 23% 23% 24% 24% 25% 26% 26% 28% 28% 30% 33% We have not experienced any challenges Normalizing all data needed for incident response Incident response depends upon too many manual processes Incident response depends upon too many security tools Security investigations take too much time to execute Keeping up with the volume of security alerts Keeping up with the volume of external threat intelligence Incident response processes are too informal and really depend upon the skills and techniques of a few key employees Incident response is based upon too many tedious, repetitive and time-consuming tasks My organization doesn’t have an adequately sized security staff necessary to keep up with incident response Security tools used for incident response are not well integrated Recording and tracking incidents throughout their lifecycle from creation to close There is a significant skills gap between junior and senior incident responders that forces senior incident responders to do most of the work Issues around technology integration of various security tools and controls Knowing how and when to get groups like business managers, legal, and HR involved in incident response processes Keeping up with software vulnerabilities and subsequent patch management activities Maintaining the right skills needed for incident response Monitoring incident response processes from end-to-end to ensure that all incidents are adequately addressed and closed Coordinating incident response activities between the cybersecurity and IT team In your opinion, what are the biggest incident response challenges at your organization? (Percent of respondents, N=184, multiple responses accepted)
  • 11. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 11 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Aside from the challenges described above, cybersecurity professionals also admit that manual processes get in the way of IR efficiency and effectiveness (see Figure 5). This alone creates an alarming scenario for the future as manual processes can’t possibly keep up with the growing volume of security alerts or help CISOs improve collaboration between cybersecurity and IT operations teams. Figure 5. Manual Incident Response Processes Hinder Efficiency and Effectiveness Source: Enterprise Strategy Group, 2016. IR Efficiency Needs Improvement The ESG data reveals that incident response processes are frequently characterized by manual processes, a lack of technology integration, and friction between SOC and IT operations teams. Concerned CISOs realize that they need to address these issues as soon as possible in order to accelerate and improve IR efficiency while optimizing the productivity of their personnel. Given the global cybersecurity skills shortage, many security executives have come to understand that the best way forward is to formalize, automate, and orchestrate IR processes. Many organizations are doing exactly this—45% of organizations are automating and orchestrating IR processes extensively while another 47% are doing so somewhat (see Figure 6). Yes, significantly, 52% Yes, somewhat, 41% No, 7% Don’t know, 1% Do you believe that your organization’s incident response efficiency and effectiveness are limited by the time and effort required for manual processes? (Percent of respondents, N=184)
  • 12. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 12 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 6. Enterprise Organizations Are Moving Toward IR Automation and Orchestration Source: Enterprise Strategy Group, 2016. Why do so many organizations want to automate and orchestrate their IR processes? Cybersecurity professionals cite several reasons including the following (see Figure 7):  Forty-five percent want to use IR automation and orchestration to improve collaboration between cybersecurity and IT operations groups. In this case, automation/orchestration can add structure to cross- group communications and help alleviate process bottlenecks when remediation tasks are handed off from security analysts to IT operations teams.  Thirty-eight percent believe that IR automation/orchestration can help them improve efficiency of IT operations tasks like updating antivirus signatures or installing software patches. Enterprises have no shortage of these types of day-to-day tasks with countless manual steps involved. Automation/ orchestration can help them save time, improve the time it takes for end-to-end workflows, and bolster productivity.  Thirty-seven percent want to use IR automation/orchestration to help them prioritize incidents. In other words, IR automation and orchestration can help them deal with security alert volume, enrich data Yes, extensively (i.e., technical steps used for incident response process automation are being used extensively in a production environment today and there are ongoing plans to continue this effort), 45% Yes, somewhat (i.e., technical steps used for incident response process automation are starting to be used in a production environment today and there are ongoing plans to continue this effort), 47% No, but we plan to perform technical integration, and/or deploy new technologies intended to help automate and orchestrate incident response processes within the next 12 to 24 months, 5% No, but we are interested in performing technical integration, and/or deploying new technologies intended to help automate and orchestrate incident response processes within the next 12 to 24 months, 1% No and we have no plans or interest in performing technical integration, and/or deploying new technologies intended to help automate and orchestrate incident response processes at this time, 1% Don’t know, 1% Has your organization done any technical integration and/or deployed any new technologies intended to help automate and orchestrate incident response processes? (Percent of respondents, N=184)
  • 13. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 13 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. elements, and make decisions on which security incidents need immediate attention and which get a lower ranking.  Thirty-six percent want to use IR automation and orchestration to help them decrease the number of hours needed for incident response processes. CISOs clearly realize that the combination of increasing security alerts and a global cybersecurity skills shortage puts them in a difficult position. They see IR automation/ orchestration as their best hope for increasing productivity in order to keep up. Figure 7. Why Organizations Are Automating and Orchestrating Incident Response Processes Source: Enterprise Strategy Group, 2016. As far as automation and orchestration priorities, 59% want to start by streamlining incident response operations with the goal of making the IR staff more effective and efficient (see Figure 8). In other words, CISOs believe they need to start by improving collaboration between CERTs and IT operations and making IR processes more like the formal methodologies they employ using IT operations frameworks like COBIT, ISO, ITIL, and NIST. 36% 36% 36% 37% 37% 38% 38% 45% 48% Allow us to automate repetitive and time-consuming tasks Decrease the number of hours required for incident response processes Increase the number of security alerts we can follow up on Automation/orchestration can help us prioritize incidents Automation/orchestration can help us collect, process, and enrich security data in a more efficient manner Automation/orchestration can help us improve the efficiency of IT operations tasks like updating antivirus signatures or installing software patches Allow us to automate simple remediation actions Improve collaboration between cybersecurity and IT operations groups Improve our ability to detect and respond to incidents in a timely manner You indicated that your organization has taken actions to automate and/or orchestrate incident response processes or is planning to do so or interested in doing so in the future. Why has or will your organization do this? (Percent of respondents, N=182, multiple responses accepted)
  • 14. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 14 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 8. Incident Response Automation and Orchestration Priorities Source: Enterprise Strategy Group, 2016. Next Steps Over the next two years, 46% of organizations say that incident response spending will increase significantly while 42% claim that IR spending will increase somewhat during this timeframe. This indicates that most enterprise CISOs believe they need to invest in people, processes, and technologies to improve IR efficacy, efficiency, and productivity. In addition to budget increases, cybersecurity professionals described a number of actions their organizations will take as part of their incident response strategy in the future, including (see Figure 9):  Forty-seven percent plan to improve the alignment of incident response and IT governance processes. Recall that 70% of organizations say that their cybersecurity processes are tightly aligned with IT operations frameworks and guidelines. While this represents a majority, it appears that CISOs and CIOs want to make these relationships even tighter with a likely goal of improving cross-organizational collaboration, formalizing IR processes, and defining the right metrics to track for continuous improvement. This objective is further evidenced by the fact that 42% of organizations want to develop formal and documented IR processes.  Forty-two percent plan to consolidate existing IR personnel and technologies into a common location as a means for improving communication and collaboration related to incident response processes and operations. Note that 39% want to create a CERT as well. In both cases, organizations want to build more structured incident response teams to address many of their current organizational challenges.  Thirty-four percent plan to provide IR training to cybersecurity and IT operations staff. This effort is meant to keep up to date with IR skills and get the IT operations staff more involved with end-to-end IR processes. ESG sees this as complementary to improving the alignment of IR processes with IT governance. Streamlining incident response operations with the goal of making the IR staff more efficient and effective, 59% Automating incident response remediation tasks, 39% Don’t know, 2% In your opinion, which is the higher priority for incident response automation/orchestration at your organization? (Percent of respondents, N=184)
  • 15. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 15 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 9. Strategic Cybersecurity Plans for Incident Response Source: Enterprise Strategy Group, 2016. 1% 24% 24% 30% 33% 34% 34% 39% 39% 42% 47% None of the above Outsource aspects of incident response to third-party managed security service providers Outsource all incident response processes and responsibilities to third-party managed security service providers Develop a formal documented incident response process Work with professional services organizations to develop formal incident response processes Test our incident response processes more often Provide incident response training for cybersecurity and IT operations staff Create a new cybersecurity group that acts as a Computer Emergency Response Team (CERT) and is given responsibility/oversight for all incident response processes and operations Hire more incident response personnel Consolidate existing incident response personnel and technologies into a common location as a means for improving communication and collaboration on incident response processes and operations Improve the alignment of incident response processes and IT governance processes As part of its cybersecurity strategy, will your organization take any of the following actions with regards to incident response over the next two years? (Percent of respondents, N=184, multiple responses accepted)
  • 16. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 16 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. The Bigger Truth The ESG data presented in this research report is something of a paradox. Cybersecurity professionals understand that incident response depends upon technology integration, cross-organization collaboration, and the ability to detect and prioritize security incidents, yet these are the very areas where they struggle today. This means that as security alert volume increases, enterprises will find themselves falling further behind, increasing cyber-attack dwell time and IT risk. Enterprises seem to comprehend the seriousness of this situation as many organizations are increasing IR budgets, training personnel, and collocating IR tools and personnel to create a dedicated CERT. In addition, the vast majority of organizations are also automating and orchestrating incident response processes today or are planning to do so in the near future. As organizations proceed with IR automation and orchestration, CISOs should study the progress made in IT service management over the last decade as there are many best practices and lessons learned that can be applied to cybersecurity as well. For example, CISOs should:  Focus efforts around high-value IT assets. IR process improvement should ultimately culminate on better visibility and accelerated response time toward high-value IT assets like critical servers, applications, and sensitive data. CISOs should enlist the help of CIOs and IT operations to find and specify these resources, identify all data sources used for monitoring and threat detection, establish hardened configuration, and create formal escalation processes across cybersecurity, IT, and the business at large. Everyone should know how to identify problems, roles and responsibilities, and next steps with centralized communication and workflows with all other constituencies as IR tasks proceed.  Map out IR processes from end-to-end. This involves assessing and documenting every IR task and step regardless of how miniscule each one seems. Once these processes are documented, it’s important for CISOs to pass these runbooks by several senior members of the cybersecurity team to see if anything has been missed. Additionally, CISOs should review documented IR processes with IT operations to identify where ITSM tools and methodologies can be added to help with incident detection or response. Armed with comprehensive and documented IR process maps, CISOs can then categorize where automation and orchestration can be applied to eliminate manual steps and deliver immediate value. These process maps can also be used to free up time for the security staff to work on high-priority needs.  Provide a common dashboard for cybersecurity and IT operations teams. One of the big issues identified in this research project was the lack of integration between cybersecurity and IT operations tools, so addressing this issue should be a high priority. In the short term, CISOs will want to align workflows to data sources and use product APIs for data access and exportation. This will give the SOC team the ability to pivot from one data point to another without the need to go through individual tools management systems. CISOs may opt to centralize IR process monitoring in the future by creating common reports and dashboards for viewing by CERT and IT operations teams as well. A common view can certainly help ameliorate today’s cross-organizational friction.  Define and track IR metrics. In the struggle to keep up with the volume of security alerts, many organizations aren’t doing enough to actually define and track IR metrics. Automation and orchestration can certainly help here. Since IR relies on a foundation of people and process, CISOs should start with key performance indicators focused on boosting productivity of the IR and IT operations staff, such as the number of incidents investigated by junior analysts, the number of investigators per analyst, response time for emergency actions, and response time for lower priority events. The goal should be overall effectiveness balanced against productivity. It is also important to establish internal service level metrics to set and track IR goals and objectives.  Make sure IR automation and orchestration support regulatory compliance and IT audits. Aside from IR alone, automation and orchestration should also be used for overall risk management—especially as it
  • 17. Research Insights Paper: Status Quo Creates Security Risks: The State of Incident Response 17 © 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved. relates to regulatory compliance. This can be as simple as automating data collection for day-to-day reporting and should also support automating post-incident response reporting.
  • 18. 20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com