At D3, we are always evolving our products to meet the needs of our customers and stay on the forefront of cyber incident response technology. This requires us to always be informed on the latest industry research, in order to understand the present and future of incident response, and where our solutions fit in to the landscape.
We have leveraged some of this research for our latest whitepaper, wherein we highlight key findings from five major cybersecurity reports, and discuss what they tell us about the state of the industry. We also propose how intelligently applied automation and orchestration can provide solutions to the problems identified in the surveys.
In this blog post, we’ll explore some of the themes we found in the reports. To see the whitepaper in its entirety, please download it from our resources page.
Cybersecurity incident response is rapidly evolving, but based on the reports we read, there’s still a long way to go. Cisco estimates that more than half of all legitimate alerts are not remediated. This is largely a matter of not having enough time and resources to conduct proper investigations. The problem is exacerbated by the fact that security teams spend an average of 67% of their time chasing false positives, as was found in a Ponemon Institute study. Automation and orchestration platforms can help teams make immediate progress in this area, through gathering contextual data to better assess false positives, automating the remediation of minor incidents, and providing tools for more efficient coordination within the SOC.
In many cases, security teams have plenty of software solutions, but these tools are not giving them what they need for stronger incident response. For some, the problem is actually having too many tools. The Cisco report cited in our whitepaper found that 10% of enterprises use products from more than 20 vendors in their security environment. Even with all these solutions in place, 59% of companies still don’t have automated tools in place, only 9% keep fully centralized log data, and generating usable metrics requires substantial manual effort in most cases. Centralized solutions with broad functionality offer a solution to this problem by eliminating data silos and streamlining workflows.
Throughout the reports we cite in our whitepaper, there is a sense that even high-performing cybersecurity teams are a bit chaotic, struggling to keep up with an unrelenting stream of alerts. This is a problem, because of the speed and tenacity of attacks against large companies. Respondents to a Verizon survey said that 98% of compromises could be measured in minutes or less, and another survey found that some incident types hit the same companies every week. These pervasive threats mean that all incident response teams can benefit from implementing tools that help them accelerate detection and remediation, and establish pre-built procedures for recurring incident types. Unfortunately, a study by Telstra suggested things are trending in the wrong direction, with average recovery times slowing from 2015 to 2016.
To put it bluntly, the reports we studied for our whitepaper do not paint an optimistic picture of current incident response processes. Tools are being bought and used with insufficient consideration given to how to use them effectively, and whether they are even the right tools to be using at all. Meanwhile, the volume and severity of attacks are showing no signs of slowing down. That’s why we’ve designed D3 to be the full-lifecycle incident response solution, combining IR, case management, automation, and orchestration in one centralized platform.
You can see the whitepaper in its entirety by downloading it from our resources page.