RSA recently compiled original research from the Security for Business Innovation Council (SBIC), a group of security leaders drawn from the Global 1000, on the topic of breach readiness. They provided insight into the technologies and processes that they have developed and use to prepare their organizations to deal with the ongoing challenge of cyber attacks on their operations.
This leadership group’s insight was invaluable, but we also thought it would be interesting to try to understand the gap between a leading edge organization and the typical organization that faces similar challenges. It has been repeatedly shown that cybercriminals do not discriminate when it comes to achieving their objectives, whether it is theft of intellectual property, financial information, or personal data – they will target any organization that has valuable assets, regardless of size or sophistication.
We conducted a survey that was answered by more than 170 global respondents from 30 countries, covering four key areas that contribute to breach readiness: Incident Response, Threat Intelligence, Analytic Intelligence, and Content Intelligence. What we found was data that helps answer one of the most frequently asked questions for any security practitioner: “Why, despite increasing attention placed on improving cyber security, do we continue to see highly damaging breaches?” The data paints a pretty clear picture: the majority of organizations continue to lag in their adoption of baseline practices and technologies that will allow them to more effectively detect and respond to attacks.
Most organizations have acknowledged that a shift away from more preventative controls and tools is warranted, in favor of better capabilities in the areas of monitoring and response. Improving visibility into what is happening across your environment is the most important first step that organizations can take – especially as our infrastructure gets more complex and our attack surface grows. However, 55% of the survey population (more than half!) still do not have a capability to gather data from across their environment and provide centralized alerting of suspicious activity, rendering them blind to many of today’s threats.
Many damaging breaches have exploited known but unaddressed software vulnerabilities. Unpatched perimeter infrastructure is a common entry point for many attacks, and the increasing frequency of broad-scope bugs like Heartbleed and POODLE are making the effort to address vulnerabilities more labor-intensive and more important at the same time. Yet, 40% of the survey participants don’t have an active vulnerability management program in place, exposing them to significant risk.
Finally, a common dictum is that “breaches are a not matter of if, but when.” Despite this conventional wisdom, 30% of respondents in our survey still do not have a formal incident response plan in place. Organizations lacking established procedures to follow leads to reactive behavior, which makes breach response much less effective. Further, regular testing and refinement of response plans is a highly effective practice employed by many leaders. Among those in our survey who had some sort of IR planning in place, 57% never update or review their plans. In the heat of an incident, a plan for potential responders that is well-known and tested can make the difference between a minor compromise and a major loss event.
Firming up just these three basic building blocks of breach readiness can go a long way in making potential attackers efforts much more difficult. It should come as no surprise that 100% of our leaders in the SBIC all have these measures in place.
In a follow-up blog, I’ll look at some of the more advanced capabilities that organizations can look to implement to bring themselves even more in line with our leaders. Until then, download our Breach Readiness e-book that covers key questions, insights, and recommendations from the SBIC and the survey in more detail.