Incident Response Lacking in the Enterprise
Everyone agrees having an incidence response team on hand is a good idea. It's just not practical for most companies.
In an ideal world, every organization would have a dedicated, in-house incident response team to handle both forensic analysis and remediation but, according to Larry Ponemon, chairman and founder of the Ponemon Institute, the reality is that relatively few companies have such teams in place.
Probably one third of organizations have officially sanctioned incident response teams, maybe another third have an informal approach, a plan thats not actually an officially-sanctioned team and then the final third really dont have anything in place, Ponemon said. Theyre waiting for the other shoe to drop, and then theyll figure out a way of dealing with it.
For many companies, Ponemon said it makes sense instead to turn to a provider that offers incident response as a service, such as McAfee, Verisign iDefense, Dell SecureWorks, Mandiant, Sword & Shield or CyberEvidence. More and more organizations are getting into this niche field, and quite frankly, I think they add a lot of value, he said.
The point is that handling cyber attacks or security breaches the wrong way can cost a lot of money. You can incur huge organizational costs, and soft costs as well, like reputation diminishment, customer churn, he said. So you have to think, is it better to have a consultant thats bringing all of this expertise to the table, even if the cost is a substantial amount of money, or is it better to go it alone?
Jeffrey Wheatman, research director at Gartner said the most highly-regulated industries like financial services, insurance or health care are far more likely to dedicate resources to incident response, but he still said he rarely sees a dedicated, in-house incident response team. Theyre certainly the exception rather the norm, he said.
Thats generally because its hard for the vast majority of companies to justify the cost of maintaining a dedicated team focused on activities like analysis and forensics. You have two options when you have an incident, said Wheatman. One is to get back up and running as quickly as possible, and the other is actually to figure out what happened -- and I think we all know that the former is much more common.
When an enterprise considers turning to companies that offer incident response as a service, Wheatman said, theres always an inherent Catch-22 because [t]hose companies will probably have better expertise and capabilities to do that, but whether clients are going to trust them to do so, I think, is an entirely different question."
Still, it makes much more sense to delegate that kind of responsibility to a third party, simply because of the nature of the work. Youll sit around for days on end without anything happening, and then all of a sudden you have eight million hours worth of work to do in eight hours. And thats where the third party would come in, because theyll have a bunch of resources to allocate, Wheatman said. To have a full dedicated team in house is just going to be way, way too expensive.
Bob Walder, chief research officer at NSS Labs, said most of the companies hes spoken to dont (and cant afford to) have a dedicated incident response team. Typically, we dont find that sort of approach in anything but the largest Fortune 100 type enterprises, he said.
Still, Walder said, that doesnt mean other companies shouldnt consider the idea. Smaller organizations could adopt some of the techniques, without necessarily spending too much on additional resources. At the end of the day, its about balancing the risk and the cost.
Carefully studying firewall and IPS logs, for example, can make a significant difference, whether thats done by a dedicated team or just by a single individual; the techniques being used to mitigate risk often matter far more than the size of the teams employing them.
One enterprise he spoke to, Walder said, recently found that they had more than 2,000 machines on their network that had been compromised for over two years. Theyve got their firewall, theyve got their IPS in place but, presumably, what they werent doing was actually watching what was going on across their network in that time."
In a lot of organizations, [firewall and IPS] logs are not studied carefully enough, and even the organizations that are looking at the logs are probably looking at them in isolation, Walder said. They need to start looking at whats happening across their network, and try correlating some of the seemingly unrelated incidents.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com .