By Julie Ferreira, Country Lead for RSA, The Security Division of EMC Southern Africa.
“Time and time again, traditional log-centric SIEMs have failed to properly protect organisations against attacks, especially advanced or targeted attacks. According to the 2014 Verizon Data Breach Investigation Report 99% of successful cyber-espionage attacks went undiscovered by logs.” according to Ferreira.
Today theSBIC serves as Best Practices Benchmark, while 57% of industry at large never update or review Incident Response plans.
RSA, the Security Division of EMC, released the results of a new global breach readiness survey that covered thirty countries and compared those global results with a survey of the Security for Business Innovation Council (SBIC), a group of top security leaders from the Global 1000.
Using the SBIC as a benchmark, the results suggest that the majority of organisations are not following incident response best practices and are not well prepared to face the challenges of today’s advanced cyber threats.
The survey focused on measures within four major areas of breach readiness and response, namely Incident Response, Content Intelligence, Analytic Intelligence, and Threat Intelligence. The results suggest that organisations continue to struggle with the adoption of technologies and best practices that will allow them to more effectively detect, respond to, and disrupt the cyber attacks that turn into damaging breaches.
Incident response is a core capability that needs to be developed and consistently honed to effectively face the increasing volume of cyber attack activity. The survey results indicate that while all leading edge SBIC members have developed an incident response function, 30% of at-large organisations surveyed don’t have formal incident response plans in place. Out of those who do, 57% never update or review them.
Content Intelligence in the survey measured awareness gained from tools, technology and processes in place to identify and monitor critical assets. SBIC members can gather data and provide centralised alerting, but 55% of the general survey population lacks this capability – making them blind to many threats. Identifying false positives still proves a difficult task. Only 50% of the general respondents have a formal plan for identifying false positives, while over 90% of SBIC members have automated cyber-security technologies and a process to update information to reduce the chances of future incidents.
Most organisations recognise that basic log collection through SIEM systems only provides partial visibility into their environment. In the general survey, 72% of survey participants have access to malware or endpoint forensics, however, only 42% of survey participants have capabilities for more sophisticated network forensics, including packet capture and net flow analysis.
External threat intelligence and information sharing is also a key activity for organisations to stay up-to-date on attackers’ current tactics and motives. The survey results indicated that 43% of the survey participants are leveraging an external threat intelligence source to supplement their efforts.
“In addition to spotting attacks, customers need to have the ability to understand the true nature and scope of an incident, not just what was logged, to stay one step ahead of attackers.” quotes Ferreira.
Finally, attackers still continue to exploit known but unaddressed vulnerabilities in damaging breaches. Despite this knowledge, the survey found that only 40% of the general population had an active vulnerability management program in place, increasing the challenge to keep their security programs ahead of attackers.
For more information regarding the Business Innovation Council, download the eBook highlighting SBIC results compared to the community at large or watch video with Dave Martin discussing insights from the Security for Business Innovation Council