Three Causes of Incident Response Failure

3 min read

Breaches continue to be reported at a dizzying pace. In 2018 alone, a diverse range of companies — including Best Buy, Delta, Orbitz, Panera, Saks Fifth Avenue, and Sears — have been victimized. These are not small companies, nor did they have small IT budgets. So, what’s the problem?  
  
Threats are escalating in scope and sophistication. Often times, new technologies are added to the enterprise network and not fully tested for security flaws. This creates issues for security teams, making it difficult to defend gaps and protect against persistent threats. Another issue facing security team is over emphasis on prevention has caused an under investment in security monitoring and incident response. 
  
Is your team faced with any of these three issues that can lead to failure to respond to incidents, malware, and threats properly?
 
1: Alert fatigue- multiplying security solutions to tackle the threat avalanche causing a large alert volume.
Even when centrally managed and correlated with a Security Information and Event Management (SIEM) solution, the workload of verifying and triaging an alert often overwhelms an in-house security team. The harder parts of research and enrichment come after the alert is verified, defining the who, what, where, when, and what to do about it. In the meantime, more alerts continue to pile up, making it difficult for an in-house security team to keep up with the everchanging threat landscape. 
  
2: Skill shortage- everyone has a limited security budget.
Even if budget was a non-issue, skill shortage continues to be acute globally. Where can you find a mass of capable people? And how do you train and keep them? By the way, did you notice that management seems to be somehow more amenable to buying yet another tool than adding headcount? Artificial Intelligence (AI) continues to be a mirage, self-driving cars anyone?
  
3: Tribal knowledge- security processes require a transfer of knowledge from senior to new or junior resources. 
Incident response requires a deep knowledge of existing systems and reasons why things are set up the way they are. Even when highly documented policies and procedures are in place, companies often rely heavily on their most senior analysts to make decisions based on their experience and knowledge of the organization. 
  
Throwing money at this problem is not the answer, working smarter is the better answer. If you have problems with alert fatigue, skill shortage, or tribal knowledge, Co-Managed SIEM can help you. According to Gartner’s How and When to Use Co-Managed Security Information and Event Management report, “Co-managed SIEM services enable security and risk management leaders to maximize value from SIEM and enhance security monitoring capabilities, while retaining control and flexibility.”
 
Download the full report to gain insights including how to identify current gaps, project goals and use cases, as well as guidance to help you evaluate and select the right provider.