In the past, many large organizations spent about 70% of their security budgets on prevention and the remaining 30% on incident detection and response. Prevention is still important but given the insidious threat landscape, enterprises must assume that they will be breached. This means that they need the right processes, skills, and security analytics to detect and respond to security incidents effectively, efficiently, and in a timely manner.
Which areas of incident detection/response need the most attention? In a recent research project, ESG asked 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) to identify incident detection/response areas where their organizations are particularly weak. Here’s a synopsis of the ESG research along with my editorial comments:
- 29% say they are weak at “performing forensic analysis to determine the root cause of the problem.” This is understandable since they probably don’t capture network and host-based forensic data, and may also lack the right security forensic skills. Security analytics weaknesses in this area are driving a lot of market activity around network forensics (i.e. from vendors like Access Data, Blue Coat, Fidelis, LogRhythm, Wild Packets) and burgeoning interest in endpoint forensics (i.e. from vendors like Bit9, Guidance Software, and RSA). Additionally, the continuing security skills shortage will result in a happy new year for H.B. Gary and Mandiant.
- 28% say they are weak at “using security intelligence and retrospective remediation to determine the scope of outbreaks, contain them, and remediate malware attacks.” The term “retrospective remediation” refers to the ability to use current security intelligence and malware discovery to find malicious files that were downloaded and executed on internal systems in the past. In other words, new discoveries can help identify previously undetected malware. Sourcefire (Cisco) has a service dedicated to retrospective remediation and this is also an issue that asymmetric big data security analytics is designed to address (i.e., vendors like IBM, Leidos, and LexisNexis, etc.).
- 27% say they are weak at “analyzing security intelligence to detect security incidents. There are a few fundamental problems here. First, a lot of security intelligence is pretty pedestrian and historical in nature. When bad guys are using DNS “fast fluxing” (i.e., randomly generating a ton of URLs), the old IP reputation list will be of marginal value. Second, we have a profound security skills shortage that limits what we can do. Finally, we still have human beings going through manual reports a la 1980. We need better security intelligence (i.e., iDefense, Norse, Team Cymru, etc.) and more automated analysis and correlation.
- 26% say they are weak at “determining which assets (if any) remain vulnerable to a similar type of attack.” The issue here is that we don’t know what’s on our networks, and we don’t know the current state of what’s on our networks. Precisely why the Department of Homeland Security (DHS) set aside $6 billion for its Continuous Diagnostics and Mitigation (CDM) program. CDM contractors include: Booz Allen Hamilton, CSC, Knowledge Consulting Group, Lockheed Martin, Northrop Grumman, SAIC and ManTech. The contract also includes monitoring, scanning, log management, and SIEM vendors such as Core Impact, ForeScout, McAfee, nCircle, Rapid7, RedSeal, Veracode, Symantec, Splunk, and others.
In aggregate, large organizations have lots of incident detection/response weaknesses that need to be addressed -- pronto. Yes, the market is full of products and services that may be helpful but there are no magic solutions out there. CISOs have a lot of real work to do. They should assess their skills, processes, and tools, and then build a detailed plan to address these weaknesses, define objectives, and measure progress.