The Top 10 Gaps in Breach Readiness

Timothy R. Rand, Senior Manager, RSA Advanced Cyber Defense Practice – Americas

The main goal of RSA’s Advanced Cyber Defense (ACD) practice is to help customers strengthen their overall cyber security posture so they are able to better defend against advanced threats. In order to accomplish this goal, the ACD team provides a number of services, including an initial engagement referred to as a Breach Readiness Assessment (BRASS).

After having conducted a number of such BRASS engagements over the past year or so with customers in a variety of industry sectors – including, aerospace, financial, telecommunications device manufacturers, and health care technology – we’ve compiled a list of the Top 10 gaps that we’ve observed during these engagements. The following list is roughly ordered in frequency of occurrence (gaps at the top were seen at more customers than those further down the list), but all were observed at numerous customers:

1. No incident response tracking or workflow mechanism (e.g., ticketing system).
2. No clearly defined roles and responsibilities around incident response and other breach-related activities.
3. Ad hoc or unclearly documented incident response procedures. Where such procedures do exist, they often do not match what is done in actual practice.
4. Inadequate or lack of centralized security monitoring and alerting. In many cases, there are no real-time alerting capabilities (e.g., alerts are not delivered to analysts for 24 hours or more).
5. No forensic analysis capabilities. As a result, incident remediation is often incomplete.
6. Insufficient number of security staff.
7. Insufficient or non-existent user awareness training regarding advanced threats.
8. Inadequate patch management process. Many companies do well deploying the monthly Microsoft patches, but struggle to deploy out-of-band and non-Microsoft patches.
9. No post mortem analysis (i.e., lessons learned) following incident resolution.
10. No cyber threat intelligence capabilities. Implementing a strong threat intel program is critical in order to start getting ahead of advanced threats.

Just about any security organization can (and should) benchmark their company’s breach readiness against this list. The obvious and most prudent question is to ask whether any of these gaps exist in your organization’s breach readiness and response plans? How can your organization go about closing these gaps and what are the potential risks to your business if they aren’t fixed?

RSA ACD practitioners work with our customers to provide viable recommendations for resolving each identified gap, including alternatives where applicable. The ACD team also helps implement selected recommendations via other offerings in our service portfolio, including Cyber Threat Intelligence, Breach Management and the development of a NextGen Security Operations Center (SOC). The methodology behind these offerings will be discussed in future posts.

Tim Rand leads the delivery of professional services for RSA’s Advanced Cyber Defense Practice in the Americas, including breach readiness/management, incident discovery, cyber threat intelligence, and Advanced Security Operation Center (ASOC) design and implementation.