Top 3 Lessons from a Year’s Worth of Incident Response Data

Most agree that 2017 was a busy year of major network breaches that caused tremendous havoc for the organizations involved. As just a few examples, we saw headlines about the Shadow Brokers, WannaCry ransomware, and other incursions at a wide variety of companies from large, global enterprises to smaller private entities. That said, headlines are just one indicator – snapshots of the problem – and sometimes, it's only upon deeper analysis and reflection that you get a sense of the sheer scope of the challenge. That's certainly the case with a new Secureworks® report on a year's worth of threat investigations and the best practices that emerge from that analysis.

A Troubling Threat Landscape Persists

Indeed, our Incident Response Insights Report 2018: Risks, Remedies, and Best Practices for Defending Against Cyber Threats report has produced some eye-opening findings. In hundreds of incident response investigations, and with visibility across 250 billion log events every day, we found a troubling digital landscape of ransomware, trojans, business email compromise attacks, advanced spear phishing, and many other types of malicious code and threats that are costing companies billions.

Equally troubling is how many organizations continue to be vulnerable. We found, for instance, that 80 percent of companies are overlooking at least some fundamental security practices like patching, user account management, implementing multi-factor authentication, or disabling unused protocols. This leaves gaps that are being exploited by online adversaries.

Compounding those weaknesses for many companies is a general lack of visibility into one's own digital environment. We found that half of all organizations had insufficient endpoint or network visibility. This allowed threat actors to go about their business largely undetected, sometimes for long periods of time. On average, targeted threats remained undetected in networks for 380 days; and 70 percent of incidents were hampered by deficiencies in log access or quality.

Top Three Best Practices to Protect Your Organization

Ultimately, companies need more than just insight into the problem. They need tangible guidance on how to protect themselves in the future. Thankfully, our report flagged dozens of specific steps organizations can take. They're worth summarizing here as three overarching best practices:

1. Remember the Fundamentals – Especially with cloud, AI, and other new technologies constantly hitting the market, organizations frequently focus on new innovation and architectures without remembering the basics of network protection. Never lose sight of preventive measures like enhanced logging, multi-factor authentication, endpoint security, and well-managed user account access and privileges. In addition, take full advantage of network patches as soon as they become available (many incursions happen after a vulnerability is known and a patch has been released, but before a company goes to the trouble of implementing the patch). These and other steps to harden your perimeter, reduce user privileges, and partition or segregate your network are the basics that nonetheless remain powerful tools against even the most sophisticated threats.
2. Gain More Visibility into Your Environment – The more you can see what's happening in your network environment, the better you can recognize threats and stop them from doing damage.  Deploy endpoint agents to enable immediate, broad, and deep visibility into suspicious activity. This is especially crucial in light of how advanced threat actors are increasingly using public or freely available tools and services for breaches that are difficult to track and attribute. Better visibility fuels your security team's ability to detect such incursions and the risks they are carrying. More visibility also helps you understand all the avenues a threat actor is using for access, so you can kick out an attacker for good vs. playing a costly “Whack-a-Mole” game of eviction and reentry. 
3. Conduct Training and Exercises to Plan in Advance – Cybersecurity and incident response involves a level of business risk that shouldn't be left to last minute planning or “winging it” through a crisis. Unfortunately, Secureworks found that 71 percent of organizations surveyed say their companies' incident response capabilities are focused on reactive measures, and 42 percent either limit them narrowly to the security team or don't do security exercises at all. Smart organizations should get proactive with frequent trainings and drills. You should do regular tabletop exercises to ensure that all the people involved in an incident – including senior leadership and representatives from across sometimes disparate business functions – understand their own roles and those of their colleagues.

Hopefully, our report's findings – rolled up from a year's worth of incident response investigations – will serve as your road map of risks, remedies, and best practices in the face of ever-growing cyber threats. We view these insights as lifelines to a stronger and more resilient cybersecurity posture – so organizations can worry less about cyber attacks and focus more on getting on with business!