In this article, we’ll define a Response Gap, identify common issues organizations face when looking for their own gaps, propose basic approaches and link to a freshly-developed free tool that can be used to make this whole process easier.
We asked our experts – Tuomas Miettinen, Peter Page and Harri Ruusinen - about how they would go about tackling the Response Gap – a challenge for many organizations, and one they were discussing in their Strengthening Your Organization’s Detection and Response Capabilities presentation in our SPHERE23 event.
What’s a Response Gap?
Response is one of five commonly-recognized capabilities of effective cyber security organizations that are reflected in NIST’s Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
Response planned, proactive and intended to start the moment an incident is detected, with the aim of removing an attacker before it can achieve its objectives. A Response Gap is the point of failure of in an organization that stops it from achieving this outcome. Examples include:
- Detection technology exists, but there are not enough competent people to monitor its output,
- A lack of response skills or experience – including the lack of a plan or the confidence to use it,
- Existing security controls are not configured to be ‘response-ready’,
- Response is delayed due to lack of budgetary clearance.
There is no shortages of tools to handle cyberattacks; some of them are even effective. Getting the right combination of tools, skills, plans and people to avoid data breaches and security incidents is a tall order, even for a well-resourced organization. There’s no shame in uncovering a response gap – but there is in failing to take steps to rectify it.
Current state: Reacting to Alerts
Response is planned and proactive, and able to commence immediately an incident is detected, all the way through to containment. It shouldn’t be confused with Recovery, which is the activity that follows a successful attack – at which point a response is slightly moot.
Most organizations start with a plan to collect data and react to alerts from their systems – and that’s fine – it’s a foundational step that everyone needs to take. There is no shortage of good tools and processes to do this. Anyone who has spent time looking at cyber security is aware that often the problem isn’t a shortage of alerts or getting access to data. Receiving alerts and doing something about them is a foundational activity.
Once the data and alert gathering (and interpretation) is up and running, however, the next step tackles culture and capability.
Moving on: proactive reactivity
This is also likely to be familiar: you can identify something is up, and you have a plan that covers how to react or respond.
‘Reaction’ is a word that might suggest un-coordinated, kneejerk response, but in the case of a response to a cyber attack a reaction is often planned, measured and part of a response that is anything but panicked.
What we’re talking about is sharpening operational reflexes: improving your organization’s resilience, identifying and agreeing clear roles and responsibilities, building that reaction / response plan and testing it – and actually using it in the heat of the moment.
Look to agree and document roles and responsibilities within your team and the individuals and teams within the wider organization, followed by the creation of a reaction/response plan (or the revision of an existing one, testing of that plan and regular iterations on it to keep the plan up to date with new changes to the threat landscape your organization faces.
This approach makes for lightning-fast reflexes in the face of an attack: the ability to understand the threat, prepare a response and deliver it in a measured fashion. It’s about responding appropriately, in contrast to an unplanned rush to action that could well create more problems than it solves, something we documented recently with our Incident Response team.
Become proactive in Detection & Response
Regardless of whether it’s done in-house or sourced from outside, looking for threats before they become a problem reduces your exposure to risk. When we talk about Rethinking Response and the Response Gap, strong threat hunting capabilities are at the center.
Threat Hunting is often most effective when it’s conducted in peacetime in a calm environment and methodical manner, free from the pressures of an incident or crisis situation.
Let’s now talk through why all this is helpful, and what you can do to find your response gap: the point or points where you can make small adjustments that improve your response when under attack.
OK – but what about the Response Gap?
Detecting and responding to attacks is complex, calling on multiple tools and plenty of varied skills to be effective. This, plus the sheer variety of organizations, teams and threats, means that often the strengths and weaknesses – makes for unique gap assessments each time.
Starting with a solid assessment of the basics, and then ensuring they are done right, sets a baseline. It provides a sense check of where you are, and how robust your current set-up is.
In our experience, organizations have tended to overinvest in technology, and underinvest in the skills needed to use it properly. Particularly in an environment where skills are in high demand and it can be difficult to retain staff, investing in their training can be a valuable retention tool and also justify salary increases.
What does good look like?
- Use frameworks to assess the readiness of your team – and your wider organization –to prevent cyber attacks from being successful. That could be anything from threat hunting and incident response capability development for the best-resourced organizations, through to awareness training for everyone in the company – which should be achievable for most.
- Readiness and training: encompassing incident readiness preparedness, developing organizational resilience and regular practical exercises including crisis management and Purple Team exercises.
- Build the means to gather and process threat intelligence. That might start as simple as an OSINT list for keeping tabs on what researchers are saying about threat actors in your sector or industry.
- We’ve mentioned Threat Hunting before, and it’s worth the investment– either through an in-house team or via EDR, MDR and WithSecure’s peacetime value methodology.
Invest in tooling that empowers your current team and gets the best out of the resources you have. Then consider augmenting or extending your team with specialist skills and related tooling to perform functions that you’re missing.
Creating a resilient organization also forms the basis from which to grow as a business. The way in which this is achieved varies depending on your organization’s capabilities and resources.
Most will benefit from working with a partner of some sort who can help create the right mix of technology, people and processes. Examples might include working with a partner who can provide Endpoint Detection and Response like WithSecure Elements EDR, but also the monitoring capability to triage alerts when you cannot. Alternatively, it could take the form of a Managed Detection and Response service such as WithSecure Countercept, which comes with the people and capabilities to proactively threat hunt across your estate.
Understanding what you’re missing at the outset and taking early steps to understand and develop will make your response to incidents in the future go a lot better. It’s not hard – but setting aside the time to do the prep work now can be hard to prioritize. Use out interactive tool to figure out – quickly- where your team and your organization stands.
Find out more in episode 79 of the Cyber Security Sauna podcast
SIEM, EDR, MDR – in-house, or Managed Service?
Find out what is the best solution for your needs; Endpoint Detection and Response, Managed Detection and Response, or Extended Detection and Response?Read more
Book a consultation with our expert
Book a call with one of our experts to discuss in more detail how you can develop your organisation’s detection and response capabilities. Complete the form and we’ll be in touch with you shortly!