The talent shortage in cybersecurity continues to persist. Just last year, research showed a cybersecurity market gap of 85 workers for every 100 job openings – 15% of jobs go unfilled. There aren’t enough professionals to cover the baseline of organizational needs, creating greater risk for businesses and more opportunity for cybercriminals.
While this issue is seeping into all areas of cybersecurity, it has been especially problematic in the area of Incident Response (IR), where the impact is not as clear and the solution is, in some ways, elusive. IR requires extensive training, creativity, and experience on the job, but cybersecurity teams are so inundated with threats and vulnerabilities that most don’t prioritize time or resources toward developing great incident responders. That’s a problem.
As a result, companies are getting worse at properly responding to incidents and the issue has gone unaddressed for far too long. Organizations need these types of professionals to safeguard their operations, data, and customers, but without the proper training and tools, they don’t have the ability to build out strong IR teams.
Incident Response is Critical to Threat Prevention
Although IR is, by definition, about having a plan for responding to attacks, it’s actually a crucial way for organizations to defend against potential threats and one that must be prioritized. In 2023, Mandiant reported that 15% of the breaches they investigated came from attacks where the initial access vector was a prior compromise. These attacks could have been avoided with the right team and processes in place, conducting comprehensive incident response to adequately scope and eradicate the attacker from the environment.
IR is a critical step in learning from and preventing the next incident. If teams don’t have this understanding internally, how are they addressing this need? If an organization isn’t able to investigate a breach, assess and analyze, then create actionable steps based on key learnings, it is unlikely that they will be able to prevent them when they inevitably happen again. So, what’s the path forward for IR?
Short-Term Solutions Aren’t Real Solutions
Currently, too many organizations follow a “nuke and pave” approach to IR, opting to just reimage computers because they don’t have the people to properly extract the wisdom from an incident. In the short term, this is faster and cheaper but has a detrimental impact on protecting against future threats. When you refuse to learn from past mistakes, you are more prone to repeating them.
Conversely, organizations may turn to outsourcing. Experts in managed security services and IR have realized consulting gives them a broader reach and impact over the problem — but none of these are long-term solutions.
This kind of short-sighted IR creates a false sense of security. Organizations are solving the problem for the time being, but what about the future? Data breaches are going to happen, and reliance on reactive problem-solving creates a flimsy IR program that leaves an organization vulnerable to threats.
Organizations need something long-term to bolster their security programs. The best way to do that is with modern tooling and refactoring IR as a core function of companies to help them extract wisdom from the suffering. Arming organizations and their cybersecurity experts with the proper training and solutions is the only surefire way to introduce better IR programs.
Training and Tools Create Better Incident Response
Part of the difficulty in creating a strong IR program is that there’s no one-size-fits-all solution, meaning there’s no perfect handbook for an organization to consult when bolstering its teams. The NIST Cybersecurity Framework recognizes this reality: by necessity, different organizations have different risks, objectives and risk tolerances. Instead, IR needs to take a training-forward approach based on an organization’s needs and arm its people with the right skills and solutions.
Knowledge-sharing is the best way to go about this. Sharing key learnings from previous attacks is how these teams can grow and prevent future disasters. The problem is that while plenty of engineers agree they learn the most when something “breaks” and that incidents are a treasure trove of knowledge for security teams, these conversations are often restricted to need-to-know channels. Openness about incidents is the only way to really teach teams how to address them.
These teams also need the right tools to get the job done. Organizations have access to a variety of these; for example, Endpoint Detection and Response tools can monitor and collect activity data to identify threats and enable quick response. Security Information and Event Management can a comprehensive time analysis of security alerts, while Network Traffic Analysis can find abnormalities that point toward threats. Similarly, User and Entity Behavior Analytics can find insider threats.
Solutions like these give IR teams breathing room in the event of an attack by making responses faster and easier. They relieve some of the pressure and reduce the need to spend money outsourcing IR or reimaging devices. Most importantly, they allow learning and better understanding that helps with future prevention.
Focusing on IR and root cause analysis as an integral step is necessary to put organizations in the best position to handle attacks as they come and to avoid bigger disasters down the line. Preparation is crucial in cybersecurity; IR is a core piece of that kind of defense. Additionally, teams need “dwell time” to think through what happens. This goes back to having appropriate training programs in place.
Tooling and training will become even more important as the threat landscape changes, and evolving technology makes it more difficult to keep up with attackers. Alongside the shortage of talent, organizations need to invest in the development of their existing teams to protect against new threats. Otherwise, they risk subjecting themselves to even greater breaches and attacks.
Incident Response is the Path Forward for Better Cybersecurity
As organizations neglect to prioritize IR to protect against a rising threat landscape, they leave opportunities open for cyberattackers to take advantage of their same weaknesses in their defenses. Every breach should be a learning opportunity so that teams are able to extract information that bolsters security programs against future threats.
About the Author
Stephanie Aceves is a Senior Director of Product Management at Tanium. She is a cybersecurity subject matter expert and part of her Tanium career helping build out Tanium’s presence in Latin America. Prior to Tanium, she was an ethical hacker at Ernst & Young, getting paid to hack into companies in a wide range of industries. Her expertise was in compromising internal corporate networks. She has obtained GIAC certifications for both forensic examination and penetration testing. Stephanie can be reached online at LinkedIn and at our company website https://tanium.com/.
