According to the IT and security professionals surveyed in the study, commissioned by Intel Security (formerly McAfee), better detection tools, better analysis tools, and more training on how to deal with incident response issues are the top ways to improve the efficiency and effectiveness of the information security staff.
“When it comes to incident detection and response, time has an ominous correlation to potential damage,” said Jon Oltsik, Senior Principal Analyst at ESG. “The longer it takes an organisation to identify, investigate, and respond to a cyberattack, the more likely it is that their actions won’t be enough to preclude a costly breach of sensitive data. With this in mind, Chief Information Security Officers (CISOs) should remember that collecting and processing attack data is a means toward action -- improving threat detection and response effectiveness and efficiency.”
Nearly 80% of the people surveyed believe the lack of integration and communication between security tools creates bottlenecks and interferes with their ability to detect and respond to security threats. Real-time, comprehensive visibility is especially important for rapid response to targeted attacks, and 37% called for tighter integration between security intelligence and IT operations tools.
In addition, the top time-consuming tasks involved scoping and taking action to minimise the impact of an attack, activities that can be accelerated by integration of tools. These responses suggest that the very common patchwork architectures of dozens of individual security products have created numerous silos of tools, consoles, processes and reports that prove very time consuming to use. These architectures are creating ever greater volumes of attack data that drown out relevant indicators of attack.
Security professionals surveyed claim that real-time security visibility suffers from limited understanding of user behaviour and network, application, and host behaviour. While the top four types of data collected are network-related, and 30% collect user activity data, it’s clear that data capture isn’t sufficient. Users need more help to contextualise the data to understand what behaviour is worrisome. This gap may explain why nearly half (47%) of organisations said determining the impact or scope of a security incident was particularly time consuming.
Users understand they need help to evolve from simply collecting volumes of security event and threat intelligence data to more effectively making sense of the data and using it to detect and assess incidents. Fifty-eight percent said they need better detection tools, such as static and dynamic analysis tools with cloud-based intelligence to analyse files for intent. Fifty-three percent say they need better analysis tools for turning security data into actionable intelligence. One-third called for better tools to baseline normal system behaviour so teams can detect variances faster.
Security professionals surveyed claim that real-time security visibility suffers from limited understanding of user behaviour and network, application, and host behaviour. While the top four types of data collected are network-related, and 30% collect user activity data, it’s clear that data capture isn’t sufficient. Users need more help to contextualise the data to understand what behaviour is worrisome. This gap may explain why nearly half (47%) of organisations said determining the impact or scope of a security incident was particularly time consuming.
Users understand they need help to evolve from simply collecting volumes of security event and threat intelligence data to more effectively making sense of the data and using it to detect and assess incidents. Fifty-eight percent said they need better detection tools, such as static and dynamic analysis tools with cloud-based intelligence to analyse files for intent. Fifty-three percent say they need better analysis tools for turning security data into actionable intelligence. One-third called for better tools to baseline normal system behaviour so teams can detect variances faster.
People who took the survey admitted to a lack of knowledge of the threat landscape and security investigation skills, suggesting that even better visibility through technical integration or analytical capabilities will be inadequate if incident response teams cannot make sense of the information they see. For instance, only 45% of respondents consider themselves very knowledgeable about malware obfuscation techniques, and 40% called for more training to improve cybersecurity knowledge and skills.
The volume of investigations and limited resources and skills contributed to a strong desire among respondents for help incident detection and response. Forty-two percent reported that taking action to minimise the impact of an attack was one of their most time-consuming tasks. Twenty-seven percent would like better automated analytics from security intelligence tools to speed real-time comprehension; while 15% want automation of processes to free up staff for more important duties.
“Just as the medical profession must deliver heart-attack patients to the hospital within a ‘golden hour’ to maximise likelihood of survival, the security industry must work towards reducing the time it takes organisations to detect and deflect attacks, before damage is inflicted,” said Chris Young, General Manager at Intel Security. “This requires that we ask and answer tough questions on what is failing us, and evolve our thinking around how we do security.”
The ESG believes that there is a hidden story within the Intel Security research that hints at best practices and lessons learned. This data strongly suggests that CISOs:
· Create a tightly-integrated enterprise security technology architecture
CISOs must replace individual security point tools with an integrated security architecture. This strategy works to improve the sharing of attack information and cross-enterprise visibility into user, endpoint, and network behaviour, not to mention more effective, coordinated responses.
· Anchor their cybersecurity strategy with strong analytics, moving from volume to value
· Anchor their cybersecurity strategy with strong analytics, moving from volume to value
Cybersecurity strategies must be based upon strong security analytics. This means collecting, processing, and analysing massive amounts of internal and external data. Internal data includes logs, flows, packets, endpoint forensics, static/dynamic malware analysis, organisational intelligence (i.e., user behaviour, business behaviour, etc.) while external data would cover threat intelligence and vulnerability notifications, among others.
· Automate incident detection and response whenever possible
· Automate incident detection and response whenever possible
Because organisations will always struggle to keep up with the most recent attack techniques, CISOs must commit to more automation such as advanced malware analytics, intelligent algorithms, machine learning, and the consumption of threat intelligence to compare internal behaviour with incidents of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by cyber-adversaries.
· Commit to continuous cybersecurity education
· Commit to continuous cybersecurity education
CISOs should require ongoing cyber-education for their security teams, including an annual series of courses that provide individual professionals more depth of understanding of threats and best practices for efficient and effective incident response.
Click here to view the Intel Security report.
*Intel Security surveyed 700 IT and security professionals at mid-market (i.e. 500 to 999 employees) and enterprise (i.e. more than 1,000 employees) organisations located in Asia, North America, EMEA and South America. Respondents came from numerous industries with the largest respondent populations coming from information technology (19%), manufacturing and materials (13%) and financial services (9%).
Click here to view the Intel Security report.
*Intel Security surveyed 700 IT and security professionals at mid-market (i.e. 500 to 999 employees) and enterprise (i.e. more than 1,000 employees) organisations located in Asia, North America, EMEA and South America. Respondents came from numerous industries with the largest respondent populations coming from information technology (19%), manufacturing and materials (13%) and financial services (9%).
No comments:
Post a Comment