After the breach: Putting your cyber house in order

Having detected the penetration of your cybersecurity perimeter, the next step is to resolve the problem and get back into normal operations quickly.

Today’s cybersecurity is good, with most prevention solutions having a 99.9% or higher detection rate for common malware, but once penetrated, identification is usually a case of too little, too late. The mean time to identify (MTTI) a data breach was 201 days, and a mean time to contain (MTTC) was 70 days. In up to 70% of cases, data breaches were detected by third parties.

So prevention is good, and detection is not so good, but that still leaves the critical third and most important pillar of effective cybersecurity, resolution. Resolving a cybersecurity issue is typically based on the successful execution of an Incident Response Plan (IRP), a set of written instructions for detecting, responding to, and limiting the effects of an information security event. Think of it as the steps to putting your house back in order after a catastrophe occurs.

Given the sad state of MTTI and MTTC, having the ability to quickly resolve an issue once it is detected would seem to be essential, but as a recent report indicates, most organizations don’t do even that. A survey of 2,000 IT and IT security professionals found that 75% do not have a formal cybersecurity incident response plan that is applied consistently across the organization. Of those with a CSIRP in place, 52% have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so.

Another challenge is the sheer number of security alerts that need further investigation but are ignored because of the lack of skills and resources to look into each one. Almost half of enterprise cybersecurity professionals (42%) claim that they ignore a “significant number of security alerts” because they can’t keep up with the volume. Another 32% say that they ignore “a marginal number of security alerts” for the same reason, and 31% of those forced to ignore security alerts claim they ignore 50% or more security alerts because they can’t keep up with the overall volume.

Fortunately, there are a number of resources available to address this gap. First, says cybersecurity guru Jon Oltsik, a principal analyst at Enterprise Strategy Group, is to make sure you have a formal and documented IRP, and a good place to start is the NIST Computer Security Incident Response Guide, listed below.

Once you have an IRP, the next step is to optimize the process bottlenecks, from data collection and analysis to decision-making and the handoff from security to IT. You should also consider cyber insurance and outsourcing to a third party who specializes in cybersecurity and has the resources and skills to investigate alerts, and consequently make better decisions and prioritizations, and therefore reduce risks and time to resolution.

With the three pillars of an effective cybersecurity framework you can minimize your risks and sleep soundly. Just understand that effectiveness depends upon all three pillars - prevention, detection, and resolution - working together seamlessly.

Read part 1 of the series, Prevention: One-third of a healthy cybersecurity regimen
Read part 2 of the series: Detection: What you don’t know will hurt you

NIST Computer Security Incident Response Guide

Establishing an incident response capability should include the following actions:

  • Creating an incident response policy and plan
  • Developing procedures for performing incident handling and reporting
  • Setting guidelines for communicating with outside parties regarding incidents
  • Selecting a team structure and staffing model
  • Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
  • Determining what services the incident response team should provide
  • Staffing and training the incident response team
--> -->