Enter boardroom, set hair on fire. How not to tackle incident response

Event anomalies can be an indicator of attack, but they can also rather commonly just be an IT problem too…

The Incident Response Report published today by F-Secure and summarising it’s own investigations, shines light on both attack methodologies and corporate attack reporting. Email inboxes, via the dual whammy of phishing and malicious attachments, are the most common source of breaches (34 percent combined.) The single biggest attack source was the exploitation of Internet-facing service vulnerabilities (21 percent.) Neither of which are exactly surprising statistics to be honest.
That 13 percent of the reported incidents investigated by F-Secure turned out to be false alarms is, perhaps, more so.
The number of such false alarms certainly took Tom Van de Wiele, F-Secure’s principal security consultant, by surprise and reveals an enterprise struggle with detecting what is and isn’t an attack. “Sometimes we’ll investigate and discover an IT problem rather than an attack” Van de Wiele says “which drains resources and distracts everyone from dealing with the real issue.”

 

Click here to read complete article

4 thoughts on “Enter boardroom, set hair on fire. How not to tackle incident response

  • March 27, 2018 at 8:03 AM
    Permalink

    The headline alone is worth its weight in bitcoin.

    Reply
    • March 29, 2018 at 8:31 AM
      Permalink

      Sadly, I cannot accept the credit for coming up with that. It was all the work of the creative cybersec mind that is Ian Trump. I spoke to Ian about the story, and quoted him within it; the headline was pulled straight out of that conversation. I do, however, agree that it is a blinder!!!

      Reply
  • March 29, 2018 at 8:38 AM
    Permalink

    Isn’t dealing with these false positives where AI enters the security response equation?

    Reply
    • March 30, 2018 at 7:20 AM
      Permalink

      AI, or more correctly ML, certainly has a role to play in filtering such alerts. Indeed, it is already playing a part in that role but it is only a matter of filtering so as to be able to send less false positives to the incident response team.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *