NicoElNino - stock.adobe.com

Complex security estates hinder incident response

The more disparate security tools in use in an organisation, the harder it becomes to mount an effective incident response

Organisations running complex security estates find it substantially more difficult to detect and respond to cyber attacks, with those using more than 50 different security tools seeing the greatest impact, according to an IBM Security study.

Conducted on IBM’s behalf by the Ponemon Institute, the fifth annual Cyber resilient organisation report lends more weight to an increasing argument in favour of service consolidation within the enterprise.

Even though the findings strongly suggest that adopting more tools does not necessarily improve response efforts, IBM said those that had overspent could get around the problem to some extent by adopting more open and interoperable security platforms, as well as a soupçon of automation to taste. It said this may help to reduce the complexity of responding across disconnected toolsets.

The study found that although organisations have become marginally more effective in preparing for, and responding to, cyber attacks, their ability to successfully contain one had actually declined since 2016, with the abovementioned complexity, and a lack of specific playbooks, cited as the biggest problems.

“While more organisations are taking incident response planning seriously, preparing for cyber attacks isn’t a one and done activity,” said Wendi Whitmore, vice-president of IBM X-Force Threat Intelligence.

“Organisations must also focus on testing, practising and reassessing their response plans regularly. Leveraging interoperable technologies and automation can also help to overcome complexity challenges and speed the time it takes to contain an incident.”

Although IBM found that security response planning was slowly improving – 18% of organisations had a formal business-wide plan in 2015 and 26% do now. Those businesses can expect to spend an average of $1.2m (€1m/£960,000) less on incident recovery than the 74% of organisations that said their plans were either ad hoc, applied inconsistently, or non-existent.

The survey also found that even among those with formal incident response plans, only 33% had playbooks in place for specific types of attack, so the majority could not draw on consistent and repeatable action plans for incidents such as distributed denial of service (DDoS) attacks, or malware or ransomware infections.

Read more about incident response

  • Automating incident response can benefit security both in the cloud and in traditional settings. Expert Dave Shackleford explains what it can be used for and how it helps.
  • The increase in recent attacks makes clear the need for a ransomware incident response plan. Here’s how to limit the effect of such attacks, as well as what to do if infected.
  • AIOps systems for incident response have helped a bank and a provider of care services in the home streamline operations amid a pandemic emergency and an ongoing IT skills shortage.

Planning also paid off in other ways. Those with formal response plans applied across the organisation found they were less likely to experience disruption because of a cyber attack. In fact, only 39% of that group had experienced a disruptive incident in the past two years, compared to 62% of organisations that were winging it.

However, 52% of those that did have response plans said they never reviewed them, or had set no time period for reviewing or testing them. This suggests many are relying on outdated plans that have not kept pace with the evolving threat landscape.

The report, which can be read in full here, polled 3,400 IT and security professionals from around the world.

Read more on Business continuity planning