cyber security incident response times

The Need for SPEED: How to Improve Your Cyber Security Incident Response Times

Today’s blog is written by our guest author, Bob Carver. He is a CISM, CISSP, and M.S. who specializes in topics about information security, privacy, and cloud security. 

If you look at a range of recent security industry reports, you’ll see varying times quoted for how long it takes criminals and bad actors to exploit your network and exfiltrate data, and how long it takes to discover and remediate a breach. On average, though, the numbers look something like this:

  • Time from compromise to “basic” data exfiltration: minutes, potentially hours
  • Time from compromise to “critical data” exfiltration: days, potentially weeks
  • Time from vulnerability discovery to public exploit of code: days, potentially weeks
  • Time to discover or identify a breach: months, potentially years

Of course, there are a lot of factors that impact these times, including the maturity of the organization, employee education programs (or lack thereof), headcount, and the people, processes, and technology you have in place.

It can also depend on how quickly response teams work together when an incident occurs. As pointed out in the 2017 annual “Cost of a Data Breach Study,” rapid response drives down the cost of a data breach. According to this report, “Failure to quickly identify the data breach increases costs. If the MTTI (Mean Time to Identify) breach was less than 100 days, the total cost was $2.8 million. If it was over 100 days, the estimated cost was $3.83 million.”

It’s clear that when it comes to security, time is of the essence. To help you prioritize, here’s a handy acronym you can share with your teams when it comes to your cyber security initiatives:

S – Situational Awareness

P – Patching (Cyber Hygiene)

E – Evolve Continuously

E – Event Monitoring

D – Detection

Situational Awareness

What is situational awareness?  One source defines it as “[…] the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.”

Some of the questions you need to answer to determine your situational awareness include:

  • Do you know where and what your vulnerabilities are in your people and processes? Do you have a plan to mitigate them? Does that plan include timelines or training?
  • Have you conducted penetration testing to detect weak points in your network? Do you have a plan to address any issues found?
  • If compromised, do you have a plan in place to address it quickly? When was the last time that plan was reviewed or tested?
  • Are your cyber security teams and your business continuity or disaster recovery teams tied at the hip?

Patching (Cyber Hygiene)

While zero-day vulnerabilities often make headlines, malicious hackers more commonly exploit vulnerabilities that have already been revealed. For example, many businesses (including a Honda manufacturing plant and some hospitals) had their operations interrupted by the WannaCry ransomware exploit, because they didn’t patch known vulnerabilities quickly enough. Running patch updates monthly won’t cut it. Desktops should be updated as soon as patches are released as your first line of defense. Server patches may take a bit longer, as they may require time for testing to verify that functionality isn’t affected. In the case of operating systems that are no longer supported, like older versions of Windows, users must be migrated to newer ones that are, or a plan developed to migrate them if an immediate move isn’t practical.

Evolve Continuously

Your people, processes, and technology must constantly evolve. You don’t want to be one of those organizations that gets notified of a compromise by law enforcement before your security teams are aware of the situation.

Here are some important questions to consider in measuring your security maturity:

  • Are your people studying, getting education, and keeping up with current events and technology advancements?
  • Are your processes still valid? Do they need to be updated or modified?
  • When is the last time your systems were updated or upgraded?
  • Do you know if your current antivirus software can detect or mitigate exploits that run in memory? Is it time for an RFP for a new endpoint security product?

Event Monitoring

Continuous monitoring of events is a key factor of being able to discover a breach and react quickly.

Key questions you should consider include:

  • Can you easily detect malicious traffic?
  • Can you quickly identify endpoint changes?
  • Are you able to recognize if these changes are malicious or benign?
  • If the changes are malicious, is Endpoint Data Remediation (EDR) available or do you need to reimage the device?
  • Are you monitoring external traffic from your network to and from the Internet (C2 traffic) for malware and potential indicators of compromise?
  • Are you monitoring internal traffic? What potential malicious communication has taken place from one endpoint to another?
  • Are you monitoring your cloud applications, as well as devices and endpoints outside the company network?


As we saw earlier in the Ponemon study, the faster that a data breach is detected, the more you can reduce costs and business impact. If you factor in the hours spared by your security team, as well as legal, public relations, operations, and other parts of the organization, the savings add up quickly. That time can be better spent growing your business and improving operations. By detecting breaches earlier, you can also better protect your brand reputation and maintain customer loyalty.


With an estimated 1.38 billion records of data reported stolen in 2016 approximately 43 records per second – putting the need for speed model into place can lead to a more mature security program that helps you save time and money over the long run.

Bob Carver made Klout’s Top 10 list of most recommended influencers to follow in #CyberSecurity and #infosec. Check out his cyber security blogYou can also follow him on Twitter @cybersecboardrm. 

Copyright © 2017 Bob Carver CISM, CISSP, M.S.