More than 40% of respondents in a recent study said their organizations are not prepared to measure incident response, and only 14.5% of respondents are measuring mean time to respond (MTTR).
The State of Incident Response 2017 study from Demisto also discovered that 30% of respondents reported they have no playbooks, runbooks or other documentation for incident response actions, despite the fact that attacks are escalating. When asked about the number of incidents occurring weekly, respondents reported dealing with an average of 346.42 incidents per week—and requiring an average of 2.28 days to resolve an incident.
The known security staff shortage issue that businesses face is one of the underlying causes for these numbers. More than 90% of respondents indicated that they are challenged finding experienced employees with the necessary skill sets. It takes an average of 9 months from the initiation of a hiring requisition until the new hire is fully trained, Demisto found—and since the need is frequently identified long before the hiring process begins, companies are without a resource for almost a year. On the retention side, more than one-third of incident response staff leaves within three years.
Overall, the study found that security departments don’t have the scale to meet the deluge of complexity they face: The biggest incident response challenges are working with a large number of information security tools (37.7%), followed by responding to a large number of incidents (36.1%) and not having enough time (34.4%). When asked how many people in the respondents’ organizations were dedicated solely to incident response, 17.6% responded that there were none and 22.3% stated that there were only one or two.
“One goal for this unique study was to gain better insights into how to address future threats by determining today’s major pain points for organizations,” said Rishi Bhargava, Demisto co-founder and vice president of marketing. “Incident response must continue to evolve to meet current and emerging threats. The key to effective incident response is having the right combination of people, technology and processes. However, this study revealed that many organizations are far from having this right combination.”
In light of the personnel gap, the study also asked about areas where automation can help. According to respondents, 40.4% feel there are significantly more alerts than can be handled by their staff, while 47.4% report it is hard to know which alerts to prioritize. Accordingly, half (54%) of respondents asserted that security operations and incident response are the two top priorities for them when it comes to automation.
About 47% said that automating threat hunting would provide immediate benefits (although only 12% had implemented this), and half believe that automating incident response would do the same (only 10.9% had already automated this facet).