In terms of response gaps in dealing with attacks, there are several implications in how to deal with them and a number of complex reasons for the response gap. Many relate back to an organisation’s structural set-up, including how much investment is given to response, and how the associated tasks, roles, and responsibilities are allocated, resourced, and supported. The four major reasons are: attacks are detected but not actioned appropriately; attacks are detected but the organization doesn’t have the right technology to respond; attacks are detected but the cyber skills shortage impedes an organisation’s response and; attacks are not detected at all.
Firstly, on the subject of attacks being detected but not actioned appropriately, attack detection encompasses a wide range of functions, whether it is known malware triggering an AV alert or a threat hunter querying whether a legitimate Windows function is masking malicious activity. Regardless of how suspicious activity is detected, many organisations do not have pre-existing processes in place for how suspicious activity is flagged, actioned and escalated. Many organisations have suffered a devastating breach that resulted in their entire server being corrupted. Their anti-virus had typically flagged alerts but resources hadn’t been allocated to monitor them.
Regarding attacks being detected but the organisation not having the right technology to respond, there are a wide range of scenarios that lead to an attack being detected. Sometimes they are detected while in progress but most often the compromise is only revealed as the business is suffering (or has suffered) the attack’s impact. From a response perspective, all scenarios can be very difficult if the requisite technology isn’t in place. The kinds of technologies that can make or break an investigation include an endpoint detection agent that covers as many assets as possible and also contains the ability to pull rich forensic data and a variety of logs. Configuring the agent to retain data and logs can also be the defining factor in historic breaches – basically, evidence fades over time. In addition, IT environments are constantly changing and companies get acquired; all of these things make it much more difficult to gain full visibility if responses don’t begin for months – or sometimes even years – after an attack.
On the subject of attacks being detected but the cyber skills shortage impeding an organisation’s response, detecting and responding to attacks requires a high level of constantly updated skills. However, half of all organisations suggest that they are suffering a cybersecurity skills gap that ranges from the teams responsible for patching and system maintenance right up to incident responders, including ‘first responders’ who are the first port of call. Appointed ‘first responders’ are crucial in preparing for a response and ensuring that you have a range of relevant people from across the organisation who can lead and deputise decisions. This should extend to beyond just the IT team. And then, if attacks are not detected at all, most organisations – from enterprises to SMEs – aren’t able to allocate resource to dedicated security staff. This means, ultimately, that attacks are not detected until, in some cases, law enforcement knocks on the door. This is usually months and sometimes years after attackers have reached their objective.
What can organisations do to narrow the response gap? Well, for many organisations, narrowing the response gap requires a complete cybersecurity strategy reset. However, there are also a number of common-sense approaches that can lead to better response readiness for all organisations. First of all, one needs to prioritise response from the top down.
A survey done by MWR InfoSecurity, which has five of South Africa’s banks as its clients and was bought out by F-Secure last year, revealed that only 12% of companies prioritise response spending across the Prediction, Prevention, Detection, and Response framework, instead of the recommended equal spend across each of the four areas. Decisions to equalise this type of spend must come from the highest corners of the organisation, with the board and management of a business prioritising and effectively communicating their security programme to the wider business. Experience, However, tells that the board and senior management don’t necessarily arrive at this type of understanding on their own. The business case for responses is strong, but you can and should engage with an experienced third party to assist any leadership team that needs support in understanding and identifying where and why more investment is necessary.
Secondly, one should take a look at what you already have. Good response is in part down to the ability to interrogate necessary artefacts when an incident occurs as well as leveraging the right tools to accelerate the team and their actions. Often, the tooling required for a vast portion of response activity may already be in your organisation. For example, if you already have an endpoint agent, understanding and making sure you have the right elements activated can improve response readiness. Thirdly, implementing basic readiness across people, processes, and technology is necessary. Turnkey vulnerability management platforms like F-Secure’s RDR technology can help provide you with these capabilities.