Connect with us

Hi, what are you looking for?

OPINIONS

Incident response: five key factors CISOs should consider when building this process

Organizations that outsource IR can establish the processes faster, as an external IR team is always on hand to step in and resolve an incident when needed. However, this comes with potential pitfalls.

By Maxim Frolov
Vice President of Global Sales at Kaspersky Lab

As attacks become more sophisticated and frequent, 86% of CISOs agree that cyber-incidents within their companies are inevitable. So, it comes as no surprise that the majority (76%) believe the speed and quality of incident response (IR) are the most important factors when measuring their performance. This means that heads of IT security departments are now focused not only on preventing attacks, but on identifying issues in time to minimize the damage.

While having IR as a process is a necessity, CISOs still face the dilemma of organizing it. There are five factors IT security leaders should consider when choosing how to organize IR in their organization:

1. Shortage of qualified professionals

Advertisement. Scroll to continue reading.

IR is often misunderstood as jumping into the remediation phase when an incident happens. However, the IR process starts even before an attack has occurred and isn’t over when it stops. In general, IR consists of four stages. The first is preparation to ensure all responsible employees know how to act upon attack. The second phase involves incident detection. Next, an IR team should eliminate the attack and recover any affected systems. After an issue is resolved, the IR strategy should be reviewed based on this experience, to mitigate similar cases happening again.   

These diversified activities call for different professionals. Unfortunately, these specialists are in short supply. According to Kaspersky Lab’s survey, 43% of CISOs find it difficult to find a malware analyst, 20% to find specialists that can respond to attack, and 13% can’t find threat hunters. Another issue is employee retention. Specialists know they are in demand and can easily switch to a rival organization if offered a higher salary. Because of these factors, it’s increasingly hard for companies to employ a team internally that can conduct the entire IR process.

2. Choosing suitable outsourcers

Choosing a contractor is also not a trivial task. To be effective, an outsourced team should cover all the important competencies of IR; namely threat research, malware analysis and digital forensics. It’s important that outsourcers have vendor-neutral certificates to prove a skill base. Also, ask about their experience in the role. The more they work for multiple customers in a variety of industries, the more chance they regularly come across typical incidents and can find similarities in seemingly different cases.

For companies in strictly regulated industries, there may be additional restrictions when selecting outsourced responders. They will, therefore, only be allowed to choose from incident responders that meet specific compliance requirements.

Advertisement. Scroll to continue reading.

3. Cost of incident response

Establishing in-house IR is costly. The organization needs to pay a salary to full-time employees with rare and expensive skills. They also need to purchase solutions and services (threat intelligence) required for threat hunting, data analysis and attack remediation.

However, the average cost of experiencing a data breach globally is increasing as well – with breaches now amounting to $1.23M on average for enterprises (up 24% from $992K in 2017). With the cost of IT incidents on the rise, businesses are realizing that they have to prioritize cybersecurity spending.

Some organizations find a flexible outsourcing model more cost-effective, as it allows them to pay only for the service received. However, for enterprises that deal with numerous incidents, having IR in-house is a must. Nonetheless, they can still find a more cost-effective model when they employ first-level responders. This internal team should be able to analyze the incident first and either handle it according to procedures or escalate to external experts.

4. Synergy with IT department

Advertisement. Scroll to continue reading.

When an incident happens, the IT team may choose to shut down infected machines to reduce the impact. However, for responders, it’s important to collect the evidence first – meaning that the ‘crime scene’ should be left untouched for a while after an incident. Collecting logs and storing them for only three months, and disconnecting infected machines make the life of IR teams more difficult.

To avoid such discrepancies, the internal IR team should prepare special tailored guidance for their IT colleagues or introduce special training for any IT specialist who needs more than simple cybersecurity hygiene knowledge but doesn’t require in-depth security skills. This initiative will ensure that both the internal and external team are on the same page.

5. Delays in putting response into action

Organizations that outsource IR can establish the processes faster, as an external IR team is always on hand to step in and resolve an incident when needed. However, this comes with potential pitfalls. For instance, a company and the third party must sign contracts and create agreements before any work is carried out. This can lead to a delay in incident response.

In our experience, a customer team often comes back to work on a Monday to discover that the company was breached during the weekend. For several days they try to handle the issue on their own. As they realize that they cannot cope, they decide to turn to external experts. Now it’s Friday. So, the company tries to approve all the agreements in a hurry before the next weekend so that they can finally let the IR team get to work. If an organization has an internal team they can better evaluate each case and delegate responsibility quickly.

Advertisement. Scroll to continue reading.

***

For most large organizations, a hybrid approach to IR, combining third-party responders as the second line of response and an in-house team as the first is the most effective option. It brings benefits and eliminates the shortages of both approaches.

All in all, outsourcing IR doesn’t mean that the company can simply hand over the reins to external experts and absolve themselves of responsibility. Having a plan is still key. To react in time, a company must be prepared and have a first line of response. There should be instructions for when to ask for external assistance and what it will address. Someone inside the company should also be tasked with prioritizing actions and coordinating cooperation between internal departments and the outsourced external team. Establishing such a role is a must.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Kaspersky has enhanced its Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform for industrial enterprises, and streamlined Managed Detection and Response (MDR) for Industrial...

HEADLINES

Smart has received reports about unscrupulous individuals pretending to be company executives or representatives of organizations asking for donations for made-up or nonexistent relief...

HEADLINES

Located in the Kaspersky office, the new facility will provide the company’s stakeholders with services ranging from an overview of Kaspersky’s practices, to a...

HEADLINES

Smart and Maya emphasize that they never send SMS with links requesting login credentials, personal information, or account verification. If you receive such a...

HEADLINES

In this new scheme, scammers call potential victims claiming that their phone number has been linked to illegal activities. The fraudsters would then extort...

White Papers

With an increase of 9% the industry is one of only three sectors with an increasing attack rate beside healthcare (+7%) and financial services...

HEADLINES

In August alone, PLDT and Smart’s Cyber Security Operations Group (CSOG) blocked access to more than 400,000 URLs that host child sexual abuse and...

White Papers

The survey reveals a crucial opportunity for mobile brands in the Philippines to stand out by prioritizing mobile app security and creating a better...

Advertisement