As attacks become more sophisticated and frequent, 86% of CISOs agree that cyber-incidents within their companies are inevitable. So, it comes as no surprise that the majority (76%) believe the speed and quality of incident response (IR) are the most important factors when measuring their performance. This means that heads of IT security departments are now focused not only on preventing attacks, but on identifying issues in time to minimize the damage.
While having IR as a process is a necessity, CISOs still face the dilemma of organizing it. There are five factors IT security leaders should consider when choosing how to organize IR in their organization:
- Shortage of qualified professionals
IR is often misunderstood as jumping into the remediation phase when an incident happens. However, the IR process starts even before an attack has occurred and isn’t over when it stops. In general, IR consists of four stages. The first is preparation to ensure all responsible employees know how to act upon attack. The second phase involves incident detection. Next, an IR team should eliminate the attack and recover any affected systems. After an issue is resolved, the IR strategy should be reviewed based on this experience, to mitigate similar cases happening again.
These diversified activities call for different professionals. Unfortunately, these specialists are in short supply. According to Kaspersky Lab’s survey, 43% of CISOs find it difficult to find a malware analyst, 20% to find specialists that can respond to attack, and 13% can’t find threat hunters. Another issue is employee retention. Specialists know they are in demand and can easily switch to a rival organization if offered a higher salary. Because of these factors, it’s increasingly hard for companies to employ a team internally that can conduct the entire IR process.
2. Choosing suitable outsourcers
Choosing a contractor is also not a trivial task. To be effective, an outsourced team should cover all the important competencies of IR; namely threat research, malware analysis and digital forensics. It’s important that outsourcers have vendor-neutral certificates to prove a skill base. Also, ask about their experience in the role. The more they work for multiple customers in a variety of industries, the more chance they regularly come across typical incidents and can find similarities in seemingly different cases.
For companies in strictly regulated industries, there may be additional restrictions when selecting outsourced responders. They will, therefore, only be allowed to choose from incident responders that meet specific compliance requirements.
3. Cost of incident response
Establishing in-house IR is costly. The organization needs to pay a salary to full-time employees with rare and expensive skills. They also need to purchase solutions and services (threat intelligence) required for threat hunting, data analysis and attack remediation.
However, the average cost of experiencing a data breach globally is increasing as well – with breaches now amounting to $1.23M on average for enterprises (up 24% from $992K in 2017). With the cost of IT incidents on the rise, businesses are realizing that they have to prioritize cybersecurity spending.
Some organizations find a flexible outsourcing model more cost-effective, as it allows them to pay only for the service received. However, for enterprises that deal with numerous incidents, having IR in-house is a must. Nonetheless, they can still find a more cost-effective model when they employ first-level responders. This internal team should be able to analyze the incident first and either handle it according to procedures or escalate to external experts.
4. Synergy with IT department
When an incident happens, the IT team may choose to shut down infected machines to reduce the impact. However, for responders, it’s important to collect the evidence first – meaning that the ‘crime scene’ should be left untouched for a while after an incident. Collecting logs and storing them for only three months, and disconnecting infected machines make the life of IR teams more difficult.
To avoid such discrepancies, the internal IR team should prepare special tailored guidance for their IT colleagues or introduce special training for any IT specialist who needs more than simple cybersecurity hygiene knowledge but doesn’t require in-depth security skills. This initiative will ensure that both the internal and external team are on the same page.
5. Delays in putting response into action
Organizations that outsource IR can establish the processes faster, as an external IR team is always on hand to step in and resolve an incident when needed. However, this comes with potential pitfalls. For instance, a company and the third party must sign contracts and create agreements before any work is carried out. This can lead to a delay in incident response.
In our experience, a customer team often comes back to work on a Monday to discover that the company was breached during the weekend. For several days they try to handle the issue on their own. As they realize that they cannot cope, they decide to turn to external experts. Now it’s Friday. So, the company tries to approve all the agreements in a hurry before the next weekend so that they can finally let the IR team get to work. If an organization has an internal team they can better evaluate each case and delegate responsibility quickly.
For most large organizations, a hybrid approach to IR, combining third-party responders as the second line of response and an in-house team as the first is the most effective option. It brings benefits and eliminates the shortages of both approaches.
All in all, outsourcing IR doesn’t mean that the company can simply hand over the reins to external experts and absolve themselves of responsibility. Having a plan is still key. To react in time, a company must be prepared and have a first line of response. There should be instructions for when to ask for external assistance and what it will address. Someone inside the company should also be tasked with prioritizing actions and coordinating cooperation between internal departments and the outsourced external team. Establishing such a role is a must.
Maxim Frolov is the Vice President of Global Sales at Kaspersky Lab