With a constantly changing digital landscape, enterprises are finding it harder to keep threats at bay. There isn’t just one culprit here; evolving threat actors, limited IT staff, and long resolution times hinder enterprises every day.
These are just some of the shortfalls highlighted in IDC’s latest digital forensics and incident response (DFIR) report, produced in collaboration with Binalyze. The report polled companies in the Middle East across various industries to learn some of the challenges they face when dealing with DFIR.
The results are — as with most security reports — concerning. While most companies are adept at swiftly dealing with simple incidents, more complex attacks drastically lengthen the time it takes to detect, report, and solve such issues.
Lingering Issues Create Lingering Problems
On average, it took approximately 26 days for an incident to be properly investigated, and a further 17 days for an issue to be resolved. For context, this is most likely for scenarios where an attack has spread to multiple machines, thus making it harder to keep it from spreading. Longer resolution times quickly lead companies to take critical systems or business processes offline, which causes further damage.
Reducing investigation time isn’t as easy as you might think. Having better analytical and detection tools is a straightforward solution, but utilizing these complex tools requires specialist training and dedicated staff, a luxury that not all businesses can invest in. A more cost-effective solution might be to outsource these labor-intensive tasks, relying on external experts with specialized skills when required.
Echoing this, nearly 65% of IDC’s survey respondents expressed a need for external support when analyzing digital evidence — a proportion that will grow as demand for these specialists increases.
There’s also the difficulty with collecting data from enterprises that combine on-premises, cloud, and hybrid environments, which makes it harder to collect and trace data in an efficient manner.
Automation and AI Can Help
Automation might play a key role in reducing investigation times. Automated workflows and escalation processes can ensure tighter collaboration between DFIR analysts, especially outside regular working hours.
This automation also greatly reduces the number of investigative tools deployed and allows DFIR personnel to focus on more critical tasks instead. Perhaps artificial intelligence (AI) could be leveraged to recognize attack patterns before they spread, thus reducing damage by stopping an attack as quickly as possible. But even these aren’t overnight solutions since the most complete protection depends on finding the right balance between automation and human intervention.
Answering the Biggest Threats
Ransomware and malware continue to plague most organizations, and this trend isn’t going to slow down. With more complicated attacks beginning to surface, the time to investigate and recover from an attack is growing exponentially, demanding more business resources to bring things back on track.
While a majority of survey respondents agree that recruiting more experienced cybersecurity individuals would be greatly beneficial, the reality is that demand currently far outweighs supply. There aren’t enough skilled professionals in the market available for hire, so it is imperative that organizations spend significant time on talent acquisition, development, and staff retention.
Making the Situation Better
For DFIR to improve, several key points must be addressed. First, organizations must significantly reduce the time between incident resolution and investigation, with a key focus on efficient processes and using automation and AI to streamline common tasks.
Next, the soaring demand for DFIR means organizations need to invest a significant amount of capital into recruiting the right procedures and teams from the start. Keeping these teams in place and running smoothly will require continued investment, as the efficiency of any cybersecurity team relies on recruitment and retention of skilled professionals and ongoing training. Whatever the costs entail, DFIR should be an important focus for any cybersecurity team to promptly address any potential threats.