Putting out fires – how incident response is coming under pressure

Alert volumes are increasing exponentially and while not every alert turns into an incident, this is putting those dealing with alert investigation and with incident response (IR) under pressure. An Integrity360 survey of 205 IT security decision makers carried out in August found that 90% of security teams witnessed an increase in alert activity, with 76% reporting an increase of between 1-50% of alerts while just over a quarter reported a 26-50% increase.

Yet 31% of those responsible for handling IR, namely systems analysts, information security analysts and to some extent the Chief Information Officer (CIO) or Chief Technology Officer (CTO), report that insufficient budget is being allocated to IR, while a fifth said they lacked the necessary IR tools and 15% reported insufficient playbooks. Cost constraints weren’t the only challenge they faced. The complexity of cyber incidents was cited by 27%, suggesting attacks have become more challenging to detect and defend against, with threat actors becoming more adept at pivoting the attack and moving laterally across the network.‍

A worsening picture

The skills shortage in the sector is also beginning to bite, with 23% saying there was a lack of IR skills and experience within their teams. That’s supported by the government’s Cyber security skills in the UK labour market 2023 report which found that 41% of organisations who do not source this function externally have an internal skills gap when it comes to IR and recovery. Moreover, it states that this particular skills gap is increasing over time, meaning it's going to get significantly harder to recruit in this area going forward.

A general lack of support for the process was evident, with 27% complaining of a lack of board level understanding of the process, while 17% said they had missing or outdated IR plans and 18% untested plans and processes. The latter is concerning when you consider that this effectively prevents the organisation from learning from the experience and tightening up defences. Higher up the chain, it was clear that there was also a breakdown in communication, with 23% of CIOs complaining of a lack of ways to collaborate when resolving an issue.

Speed was considered of the essence, with 40% feeling they needed to respond quickly, almost double those who thought diagnosis took priority, and 31% said they felt weighed down by responsibility when handling an incident. Among information security analysts, ineffective communication and the relentless need to focus on the incident until it was resolved featured next highest on the list, while CIOs said they experienced pushback on the recommended response from the team and were under pressure from above due a demanding C-suite. Over a quarter of CIOs were also concerned with getting something wrong, presumably due to being held much more accountable should an issue escalate or be handled badly.‍

Time to reassess

It’s rapidly becoming clear that many now lack the necessary resource. To remedy this situation, IR needs to have dedicated budget that is fenced off from the rest of the IT spend.

The results from the Integrity360 survey should act as a wakeup call to some for whom it would be more prudent to outsource the process rather than continuing to perform the function in-house. The NCSC’s CIR (Cyber Incident Response) scheme can help here, providing a list of assured service providers that can provide incident response services which can also be taken as an outsourced offering from an Incident Response provider if desired.

Using an Incident Response provider ensures the business has resources allocated to IR with a team on hand 24x7 365 to deal with an incident but it also provides other advantages. The business will have access to skilled individuals utilising multiple advanced investigation and forensics tools that are regularly updated as the IR provider constantly invests in their offering to better support their customer base and remain competitive. Because this investment is spread across all their clients, each benefits from economy of scale without incurring higher costs.

The IR provider will be aware of threats specific to their industry and how these are evolving, enabling them to jump on zero days, for example. Plus, they can scale the offering to meet the growing needs of the business, protecting the enterprise against shortages in resource, and freeing up in-house security personnel to focus on the maturity of the security posture as a whole. IR providers typically offer retainer services which take care of all the commercial and contractual aspects up front, proactively onboarding the client so they have a good understanding of the client environment should something occur. This ensures that in the event of a major incident, the distraction of administrative overheads and delays are removed, and expert resources are immediately available under tight SLA 24x7 to rapidly respond to and contain the intrusion.