Ponemon report sponsored by Lancope. Cyber Security Incident Response - Are we as prepared as we think?

Get Your Free Copy of the Latest Ponemon Research

Commissioned by Lancope, Inc., this research study surveyed 674 IT and IT security professionals in the US and UK in order to determine the level of preparedness of their Cyber Security Incident Response Team.

In the past 24 months, most organizations represented in this study had at least one security incident and expect another will occur in the near future. Some of the most prominent findings from this research include:

  • Network Audit trails are the most effective tool for incident response
  • CSIRTS are ill-prepared to respond to Cyber Threats
  • Management is largely unaware of cyber security threats
  • Investment is critical for effective cyber incident response programs
  • Metrics can help determine CSIRT effectiveness
Download the full incident response report


Cyber Security Incident Response 2014 (PDF)

Download Now

Below is a breakdown of findings by section:

Executive Summary

There is no question that organizations of all sizes face a significant threat from information security breaches. Cyber-attacks have become more commonplace and more sophisticated with each passing year. There are a variety of challenges that today’s security organizations have to deal with, including:

  • malware campaigns launched by organized criminal groups who look to steal information that can be sold on the black market
  • increasingly powerful distributed denial-of-service (DDoS) attacks that can take out large websites
  • state-sponsored espionage that can penetrate even well-defended networks.
Organizations need to be prepared to respond when these incidents happen.

The Current State of Computer Security Incident Response Teams

This section looks at the people who comprise the CSIRT – in-house and third party. We found CSIRT programs are made up of experienced and credentialed experts, but lack full time staff.

Forty-five percent indicated that their CSIRT had no full-time staff at all, and only 27 percent had more than one full-time employee.

Measuring Incident Response Effectiveness

Knowing is not half the battle: Although respondents say that they can identify security incidents within hours, it takes about a month to work through the entire process of incident investigations, service restoration and verification.

Fifty percent of respondents say their organization does not have meaningful operational metrics to measure the overall effectiveness of incident response activities. Learn why Mean Time to Know (MTTK) and Mean Time to Verify (MTTV) are crucial metrics for determining the root cause, restore service and verify resolution.


Figure 08: How long it takes to respond

Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizations in recent incidents.

figure 08 - How long it takes to respond


Incident Response Team Practices

This section, in addition to asking about metrics, our survey asked respondents about a number of qualitative aspects of their incident response programs. These qualitative questions provide some indication of the maturity and readiness level of CSIRTs.

Interestingly, we found:

  • many organizations are not assessing the readiness of their incident response teams on and ongoing basis and lack defined rules of engagement
  • few organizations have a pre-defined public and analyst relations plan they can put in motion in the event of a material data loss that needs to be publicly disclosed
  • few organizations have a multi-disciplinary insider threat management program
  • most organizations are not sharing threat intelligence and indicators.


Incident Response Tools & Technologies

We asked our respondents to tell us what tools are most effective at detecting security breaches. The results are shown in Figure 12. Interestingly, the two most popular responses were tools that store audit trails of network and system-level activity, rather than automated detection tools. Collections of NetFlow, packet captures and Syslog become a source of truth for an incident investigator that can enable the investigator to rewind the clock, whereas most automated detection tools are focused on what’s happening in real time.

We also asked our respondents to provide information about their use of four common forensic audit trails - Syslog, NetFlow, packet capture and hard drive images. We asked respondents how widespread their deployment of these technologies is and how much history they store.

Management Visibility into Cyber Threats

This section delves into the findings that Communication about potential cyber-attacks or threats posed against the organization often stays in IT management and little filters throughout the enterprise.

Executive management is being left in the dark when it comes to security breaches. Only 20 percent of respondents say that they frequently communicate with executive management about potential cyber-attacks or threats against the organization.

About the Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.