incident response management - elevenpaths...incident response management ... from its consolidated...

© PAC 2015

Incident Response Management How European Enterprises are Planning to Prepare for a Cyber Security Breach

EXECUTIVE SUMMARY

Gold Sponsor of the study:

© PAC

About Telefonica Telefonica is one of the largest telecommunications companies in the world in terms of market capitalisation and number of customers. From its consolidated position in the sector, and with fixed telephony and mobile broadband as key areas that support future growth, the company focuses its strategy on securing its leadership in the digital world. Present in 21 countries and with a customer base of more than 341 million customers, Telefonica has a strong presence in Europe and Latin America, important industrial alliances and a leading global scale which positions the company to capture growth opportunities. Telefonica is a fully publicly traded company with more than 1.5 million direct stakeholders and its ordinary shares are traded in various stock markets, including London and New York among others. Telefonica is committed to delivering more secure and market leading innovation across its security value proposition through its division Telefonica Business Solutions, a leading provider within the Telefonica Group of a wide range of integrated communication and digital solutions for the B2B market. The security value proposition in Telefonica Business Solutions is underpinned by its Security product division including ElevenPaths, Telefonica’s fully-owned subsidiary, which brings radical and disruptive innovation in security services and Alliances which include world leading security partners and organizations. At ElevenPaths, the vision is to develop innovative security products that redefine how Telefonica addresses emerging threats, as well as guaranteeing security and privacy for all without interfering with their day-to-day lives. Telefonica’s customers depend on technology, communications and the Internet which makes them vulnerable to exposure to security threats. The breakneck pace of change has to be matched by the speed of innovation, creating agile structures that enable us to stay ahead of attackers.

Telefonica – company profile

MC template 2 2015

© PAC

About Telefonica (continued) The Security division within Business Solutions is designed to enable Telefonica to exceed customer expectations while adapting to their specific characteristics and needs though a ground-breaking value proposition. Telefonica’s extensive experience in security and communication networks, expert workforce and the development of intelligence-driven managed security services of cutting-edge technology, as well as the capillarity of focused local security units across the world, makes Telefonica a market leading partner. In the cyber-security, Telefonica is dedicated to protecting the property and businesses of its customers (Government, Enterprises, Multinationals and Small and Medium Business) through unobtrusive services, providing a portfolio of solutions that help prevent attacks, detect any breaches or incidents, and ensure we support our customers address the ongoing challenge of security. For more information: https://www.elevenpaths.com http://www.telefonica.com Follow us in: Blog: Blog.elevenpaths.com (http://blog.elevenpaths.com) Twitter: @ElevenPaths (https://twitter.com/ElevenPaths) LinkedIn/elevenpaths (https://www.linkedin.com/company/eleven-paths?trk=top_nav_home) YouTube/elevenpaths (https://www.youtube.com/channel/UCX_PjrbhDhw_IsaNmiZkfGQ)

Telefonica – company profile

MC template 3 2015

© PAC

Key Findings

Incident Response Management 4 2015

Most organisations suffered a breach last year

•  67% of organizations reported a cyber breach in the last 12 months

•  100% of firms surveyed reported a cyber breach at some point in the past

•  A breach is - to all intents and purposes - inevitable.

•  Traditionally, cyber security focuses on Prevent & Protect approaches

•  Firms are migrating spend to Detect a breach quickly…

•  … and Respond to minimise the impact of that breach.

•  86% of firms claim a high state of readiness for cyber breaches

•  Yet 39% do not have a cyber readiness plan

•  And only 30% of firms that have a plan test it monthly.

Most organisations outsource Incident Response

•  CISOs generally prefer to keep operations in house

•  But with incident response, outsourcing is more common

•  Accessing required expertise, on demand, is the driver.

Technology support for Incident Response is emerging

•  Two-thirds of organisations do use some technology for Incident Response

•  But most use in-house solutions or a patchy variety of existing technologies

•  IR Management solutions are emerging and will gain rapid adoption.

Security spend is shifting towards Incident Response

Are firms really ready for cyber breaches?

© PAC

Introduction


Suffering a major breach is a near-certainty. Research from a variety of sources shows that the average firm will suffer one major breach each year. The consequences of a major breach include loss of IP, availability, customer service, revenue and reputation. And the fines for data protection non-compliance are set to soar under the upcoming GDPR and NISD regulations, with mandatory breach reporting due to be introduced from 2017.

Responding to an incident quickly and effectively is a complex process, involving technical, communications & management staff.

And the world is watching as you respond.

Our hypothesis for this study was that enterprises are struggling to cope with Incident Response. We wanted to investigate the extent to which firms are experiencing cyber breaches, and if so how organisations are prepared for this eventuality. Are cyber breaches inevitable?

We were also interested in how firms cope with the skills shortage, and if they use technology and/or outsourced services to deliver Incident Response. Do firms seek to offset cyber breach risk, through a combination of IR planning and Cyber Risk insurance?

We surveyed 200 decision makers in large companies in the UK, France and Germany, to understand their motivations and drivers with regard to Incident Response.

This study deals with the following questions:

●  To what extent are firms being breached, and what is their broad approach to responding to such incidents?

●  Do companies understand the importance of IR? Do they have a defined and tested IR plan?

●  Are they adjusting their cyber security spend, or allocating new budget, in order to fund an IR programme?

●  Do they test their IR regularly and update processes accordingly? Do they follow best practices?

●  Do they use an IR management tool? Do they outsource IR capability? Are they aware of the impending NIS and GDPR regulatory changes?

●  Is their technical IR plan integrated with business and communications contingency planning?

© PAC

About the Study


200 survey respondents in Western Europe

65% CIO/VP IT respondents

35% CISO respondents

UK Survey conducted between Apr-May 2015

All respondents had over 1,000 employees FR DE

33% 35% 33%

F M A M J

Others 8%

Services 12%

Healthcare 4% Retail 9%

Manufacturing 14% Education 15%

Public Sector 24% Financial Services 17%

© PAC

Anatomy of a Cyber Breach Incident


67% of firms have had a cyber breach in the last year, and 100% report a breach at some time in the past

€75k

Firms require between one and six man months to recover from a breach

V.High High Med

23%

Low

Breach severity

We were alerted by the media

We found it ourselves

We were alerted by a third party

37%

1%

21%

69% of breaches are discovered between one and six months after attack

J F M A M J

Average cost of most severe breach in last year

We used a 3rd part monitoring service

43%

9%

35% 34%

© PAC Incident Response Management 8 2015

Q. What is the split today of spend between planning, preparing and prevention versus detection, response and recovery? And how do you see this changing over the next two years?

Most organisations have built their cyber security approach around protecting the perimeter and preventing attacks. However, as we have seen, cyber breaches still occur. This means that organisations have used up most of the budget that has, ultimately, failed to do wha t i t was spen t t o do . Mos t organisations take between one and six months to discover an attack, meaning that the perpetrator has been inside to the organisation long enough to cause damage or to extract information.

The shift in spend towards a Detect & Respond approach is therefore a reaction to the inevitability of a cyber breach. We see this as a re-balancing of cyber security spend to a more appropriate split of operational attention. While the focus on Prevent & Protect needs to be maintained, looking for breaches and quickly remediating them has increased in priority.

Pre

vent

& P

rote

ct

Detect &

Respond

77% 61%

75% 60%

Average spend in 2 years

Average spend today

Median spend today

Median spend in 2 years

23% 39%

25% 40%

Average spend in 2 years

Average spend today

Median spend today

Median spend in 2 years

A fundamental shift in security spending


common but increasingly insufficient given the rate of change in the threat landscape. 5% of firms test their incident response preparedness annually.

Overall, we are concerned at the state of readiness of firms for a cyber breach. While most companies believe that they are ready for a breach this confidence does not match the reality of the situation. Firms are at best unaware of best practice when it comes to incident response, and at worst are in denial of the precariousness of their situation.

39% 86% 30%

Of firms don’t have a cyber readiness plan

Of those firms with a plan test it monthly or

more frequently

Of firms claim they are very or somewhat ready

for a cyber breach

✔ ✗

It's a case of good news followed by bad news, when it comes to preparedness for a cyber breach. An extremely healthy 86% of organisations say that they are very or somewhat ready for a cyber breach. However, readiness clearly means different things to different firms: 39% do not have a cyber readiness plan. How an organisation can claim readiness without having a plan to describe what readiness means or how to test it is a clear indication of the variability of maturity across organisations when it comes to incident response.

Frequency of testing a plan is also highly variable. Only 30% of firms that have a plan test it monthly or more frequently. Most (65%) test their plan quarterly, which is

How prepared are you for a cyber breach?


Q. How do you resource incident response?

M o s t o r g a n i s a t i o n s e s c h e w outsourcing for cyber security. They fear loss of visibility and control of their security operations. So, typically, they use outsourcing in a cautious, risk-based and selective manner. They also outsource security as a short-term fix until they are able to back-fill resources with in-house expertise.

With incident response, however, the opposite appears to be true. In our s u r v e y, 6 9 % o f f i r m s u s e a combination of internal and external staff, with a further 14% using external resources exclusively.

Use external staff only

18% Use internal

staff only

69% Use a combination of

internal & external staff

The nature of incident response dictates that resource utilisation is unpredictable. Although all of the companies surveyed reported a cyber breach (67% in the last 12 months), the timing of a breach is indeterminable. This means that if internal staff are to be used then they are drawn from other security activities as and when the need arises. But this may impact on-going operations. So it makes sense to plan to use external resources, either retained on standby or on a more ad hoc basis.

14%

Internal or external resourcing?

© PAC

Technology for Incident response


Q. Are you using any technology to assist in incident response?

We asked the respondents whether they are using any technology to assist in incident response. We were surprised to find that 61% of firms do use technology in their incident response.

However, when asked to describe this technology we get a very patchy view. The most common answer type of technology used is built in-house, as opposed to a commercial off-the-shelf solution. Firms corral a wide variety of technologies to support incident response, such as SIEM,

61%

✔ 11%

Built in-house

threat monitoring and network security. Clearly, these technologies are not designed for managing and organisations incident response program.

There is some evidence to suggest that organisations are aware that more specialised solutions for incident response are available, although this is clearly still an emerging market. Awareness of such solutions appears to be low, but as spend shifts towards Detect & Respond activities we expect this to increase rapidly.

22%

✖

Of which…

… and the rest is a wide variety of existing capability delivering patchy IR coverage

© PAC

Disclaimer, usage rights, independence and data protection


This study was compiled in multi-client mode under the sponsorship of FireEye, HP, Telefonica and Resilient Systems. For further information, please visit www.pac-online.com. Disclaimer The contents of this study were compiled with the greatest possible care. However, no liability for their accuracy can be assumed. Analyses and evaluations reflect the state of our knowledge in May 2015 and may change at any time. This applies in particular, but not exclusively, to statements made about the future. Names and designations that appear in this study may be registered trademarks. Usage rights This study is protected by copyright. Any reproduction or dissemination to third parties, including in part, requires the prior explicit authorization of the sponsors. The publication or dissemination of tables, graphics etc. in other publications also requires prior authorization. Independence and data protection This study was produced solely by Pierre Audoin Consultants (PAC). The sponsors had no influence over the analysis of the data and the production of the study. The participants in the study were assured that the information they provided would be treated confidentially. No statement enables conclusions to be drawn about individual companies, and no individual survey data was passed to the sponsors or other third parties. All participants in the study were selected at random. There is no connection between the production of the study and any commercial relationship between the respondents and the sponsors of this study.

© PAC

Contact

Founded in 1976, Pierre Audoin Consultants (PAC) is part of the CXP Group, the leading independent European research and consulting firm for the software, IT services and digital transformation industry. The CXP Group offers its customers comprehensive support services for the evaluation, selection and optimization of their software solutions and for the evaluation and selection of IT services providers, and accompanies them in optimizing their sourcing and investment strategies. As such, the CXP Group supports ICT decision makers in their digital transformation journey. Further, the CXP Group assists software and IT services providers in optimizing their strategies and go-to-market approaches with quantitative and qualitative analyses as well as consulting services. Public organizations and institutions equally base the development of their IT policies on our reports. Capitalizing on 40 years of experience, based in 8 countries (with 17 offices worldwide) and with 140 employees, the CXP Group provides its expertise every year to more than 1,500 ICT decision makers and the operational divisions of large enterprises as well as mid-market companies and their providers. The CXP Group consists of three branches: Le CXP, BARC (Business Application Research Center) and Pierre Audoin Consultants (PAC). For more information please visit: www.pac-online.com PAC’s latest news: www.pac-online.com/blog Follow us on Twitter: @PAC_Consultants



Duncan Brown Research Director +44 (0) 20 7553 3966 [email protected]

Dominic Trott Senior Consultant +44 (0) 20 7553 3966 [email protected]

2015

incident response management - elevenpaths...incident response management ... from its consolidated...

Documents