PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

By Craig Hoffman
May 31, 2018
in Industry Opinions
0
7
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
response

response

One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and gives them context to response time expectations during an incident.

IR Preparedness

When we talk to entities about incident response preparedness, we often start with the detection and containment metrics because they are two areas in which companies can improve their “compromise ready” posture before an incident occurs.

Detection. The time of 66 days from occurrence to detection includes all incident types from 2017, some of which companies usually detect immediately (e.g., ransomware and Office 365 account takeovers) and some of which they do not (e.g., network intrusions). The average detection time for network intrusions in 2017 was 84 days, with more than 90% of those incidents detected in less than six months. The 84-day detection time for network intrusions closely matches the “dwell time” metric from Mandiant’s “M-Trends 2018” report, which shows the median time from occurrence to discovery of the network intrusions Mandiant investigated in 2017 as 101 days. The all-incident types detection time average we report has held steady over the past three years – 69 days in 2016 and 61 days in 2017. Mandiant’s dwell time data shows an improvement over the prior six years, down from a median of 416 in 2011.


From “M-Trends 2018,” prepared by Mandiant, a FireEye Company

If an attacker broke into a network months before an entity becomes aware and begins to investigate, if logs critical to identifying what the attacker did were never generated or “rolled over” due to log retention settings, the ability to have certainty about what occurred and what data may be at risk is affected. Not only does insufficient logging cause investigations to take longer to complete, it often leads to scenarios in which an entity knows an attacker broke into its network and had sufficient access to steal data, but a forensic firm is not able to conclusively tell the entity what data was stolen, nor can it rule out the possibility of data having been stolen. That scenario often leaves an entity facing a decision of whether it should assume that the worst-case scenario of data theft occurred even in the absence of actual evidence that it did.The time delay from occurrence to detection highlights the importance of having (1) endpoint threat-detection tools (something beyond antivirus), (2) good network and host logging practices, and (3) a dedicated internal team or security vendor that monitors alerts from security tools and investigates to triage the alert. Network security teams respond to and stop many security events in minutes or hours, preventing the “event” from becoming an “incident.” However, sometimes the attacker’s access is not detected at the outset. Often, we then see attackers compromise legitimate credentials and use legitimate system tools (e.g., PowerShell) to move around the network for weeks or months in a way that is not identified as suspicious.

Containment. After an entity becomes aware of an incident, there is a rush to stop it from continuing. Some incidents are easier to contain than others. Network intrusions, for instance, often take longer to contain than others. The containment time average in 2017 was three days for all incident types and five days for network intrusions. In network intrusion incidents, after indicators of a network compromise are identified, we work with the entity and the forensic firm to build a containment plan. Usually the forensic firm needs time to understand the entity’s network, how the attacker is accessing the network, and the tools the attacker is using before it can build out the components of an effective containment plan for the entity to implement. The compromised entity’s ability to support the forensic firm’s investigation by accurately describing its environment and what devices have sensitive data, and by providing visibility to endpoints and access to logs with sufficient detail, is a significant factor in the time it takes to contain an incident. The overall network security posture is also a factor – a flat network without security tools operating on public internet-facing devices running unpatched applications is hard to secure in a matter of days.

IR Response

Investigation. A lot of people, especially the members of an incident response team that are not from the security group, expect to get all of the answers about an incident very quickly. The reality, especially for forensic investigations of network intrusions, is that the time to complete an investigation is measured in weeks, not hours or days. For 4% of network intrusions in 2017, the investigation took longer than three months to complete. For members of an incident response team responsible for deciding on timing of communications and content, knowing that it will likely be weeks before there is certainty about what occurred can help the entity make effective timing choices and limit content to only statements the entity knows to be accurate and not likely to change.

Notification. One of the most common questions we get from entities at the start of the investigation is how fast they should or need to notify individuals or regulatory authorities. The focus is twofold – regulatory compliance and reputation. For most entities, the decision is not about whether to notify and comply with applicable law. Rather, often the discussion is about whether the entity should provide notification “immediately” in the interest of “transparency.” There are plenty of examples of entities that released communications early in an investigation of an incident that later had to update and change its message, which caused some to view those entities as not handling the incident response well or worse.

The close proximity of the timing of the completion of the investigation to the timing of providing notification – an average gap of two days in 2017 – shows the value of preparing to notify in a parallel track during the investigation. Often preliminary findings provide enough for the team responsible for communications to begin to prepare for notification (e.g., drafting messaging, engaging notification vendors for larger notices, preparing the call center) during the investigation. Then, when the investigation reaches an acceptable point of certainty, the communication materials can be quickly finalized and released. Entities that wait to address notification until after getting the final findings may face delays that could have been avoided. For example, companies that provide notification mailing services often require the entity providing notice to supply the mailing vendor with all necessary deliverables five days before letters will be mailed.

Take Action

The Data Security and Incident Response Report identified four steps that entities can take to shorten the overall timeline: (1) enhance logging practices, both in length of retention and detail logged, (2) identify a primary forensic firm before an incident occurs, negotiate a master services agreement with that firm, and then bring that firm on-site to do onboarding, (3) use endpoint security tools (deployed pre-incident or by working with the forensic firm to deploy its endpoint agent) to get visibility faster, and (4) be mindful that the pressure to move quickly and provide transparency must be balanced with the need for an appropriate investigation that enables an effective containment plan and certainty about what occurred.

7
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: Data

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    supply chain payments

    The Payment Process: The Supply Chain’s Most Overlooked Cyber Risk

    July 17, 2025
    Navigating Global Fintech Regulations Through Strategic Regulatory Arbitrage

    Navigating Global Fintech Regulations Through Strategic Regulatory Arbitrage

    July 16, 2025
    AI Is Turning Accounts Receivable Into a Strategic Powerhouse

    AI Is Turning Accounts Receivable Into a Strategic Powerhouse

    July 15, 2025
    Embedded Finance

    Embedded Finance: Bringing Payments Under a Single Umbrella

    July 14, 2025
    Making Real-Time Payments a Reality

    Fulfilling the Promise: Making Real-Time Payments a Reality

    July 10, 2025
    mortgage

    The Rich Benefits of In-House Payment Systems

    July 9, 2025
    digital cards

    Beyond Plastic: Why Digital Cards Are the Future

    July 8, 2025
    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    What Premium Card Overhauls by Chase and Amex Reveal About the Credit Card Market

    July 7, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result