The most effective response to security incidents and potential data breaches in the organization involves a team of people, an investment that many organizations say their firms are not willing to make, according to a new study.
A survey of 674 IT security professionals in the United States and the United Kingdom, conducted by the Ponemon Institute, found a lack of investment and awareness of incident response activities from senior management. The majority of survey respondents said additional people and more efficient processes could help speed incident response, but they acknowledged that investments in incident response capabilities in their organization has remained static over the past 24 months. The study, released in January, was commissioned by Alpharetta, Ga.-based security firm Lancope.
"Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities," according to the Ponemon report. "This recommendation was more popular than preventative security measures such as vulnerability audits and end-user education efforts."
Advanced threat detection capabilities, driven by network security vendors FireEye, Palo Alto Networks, Cisco Sourcefire and other vendors, has put a focus on threat detection. But once the appliances spot a threat, incident responders need to pinpoint the threat, contain it, remediate open vulnerabilities and deal with the infected system. All the vendors acknowledge that their technologies require incident responders. FireEye recently acquired Mandiant for its incident response capabilities and digital forensics practice as well as its endpoint security suite.
Solution providers say they are not surprised by the report's findings. Businesses will race to put in new technology, but they often consider the impact of the technology after it is in place, said Shaq Kahn, CEO of Fremont, Calif.-based security service provider Fortifier. Kahn, who has sold and implemented FireEye appliances, said in a recent interview that response capabilities are all too often an afterthought.
"They see the benefit of the threat detection, but they don't realize that something needs to be done once detection takes place," Kahn said. "This is a consistent problem with security."
Investments in incident response technologies and personnel may be viewed as reactive rather than preventative, according to Larry Ponemon, founder and chairman of the Ponemon Institute. In the report, Ponemon said that, ideally, breaches would not occur, and therefore there would be no need for teams to respond to them.
"With a limited budget for protecting an organization against security problems, it may be easier to rationalize spending that money on measures that are designed to stop breaches from occurring in the first place rather than on measures that are designed to respond to a breach once it has happened," Ponemon said.
NEXT: Incident Response Plan Is First Step