How to Close the Gap on IT Security Breach Readiness

Cyber Security LaptopIn light of another year of numerous high profile cybersecurity breaches in 2014, RSA set out to get a clear understanding as to why organizations continue to struggle with breach readiness and how they can improve their preparation in the future. This week RSA announced the results of a global breach readiness survey of more than 170 respondents from 30 countries, which were compared to the responses of the Security for Business Innovation Council (SBIC), a group of top security leaders from Global 1000 enterprises.

The survey covered four key areas of breach readiness with which many organizations struggle today: Incident Response, Threat Intelligence, Analytic Intelligence, and Content Intelligence.

When comparing the best practices of SBIC members to the broader population, it’s clear that many organizations are struggling to address even basic requirements for success in defending themselves from advanced threats. Recognizing that security teams have numerous responsibilities and priorities with limited budgets and resources, the results reveal that it takes organizations too long to make breach readiness improvements and add missing capabilities. They are gambling with their organizations’ security.  There are definite signs, however, that many organizations are beginning to take the necessary steps forward on the maturity journey.

Before we look at some of the good news, it gives me pause that 57% of respondents miss the critical early step of reviewing and updating their incident response plans; never mind testing and exercising these plans. Whilst a security operations team is likely exercising their part of the plan almost daily, there is much to be gained from regularly conducting table top exercises of the plan with business and executive players – this is a vital preparedness and education tool.

On a positive note, nearly half of the general population surveyed has implemented a capability to centralize and correlate their logs, use asset criticality to focus their incident management and have a process to identify and reduce false positives. Only 43% harness the value of external threat information by integrating it with that centralized data, leaving many without the protection of leveraging known indicators against their aggregated data. Although this step can’t protect you from the unknown, leveraging the larger ecosystem and its broader experience is a critical step to decreasing the likelihood that existing threats are operating within the environment. A great threat feed can go a long way to giving early indication of malicious activity.

Most organizations (70%) are reporting that they have the ability to perform a live host analysis, but less than half have the ability to perform live network analysis. This is a critical step to be able complete the picture of activity on a network, either to match network traffic to host activity or to identify traffic from an unmanaged host.

As organizations continue the breach readiness journey, the SBIC offers valuable prescriptive advice on which capabilities are most important, and the features that must be prioritized to more successfully prepare for breaches. An effective program will combine a dedicated team – either in-house or through a managed security services provider – with excellence in response process and analytic capability; it will also have a high degree of visibility into data, application, host and network activity, prioritized with asset criticality and informed by external threat information.

For more information about the survey results, check out the e-Book, Closing the Gap on Breach Readiness.

About the Author: Dave Martin