Learn about common insider threat incident response challenges and how IncydrTM helps solve them
What is incident response?
Incident response is the structured methodology by which an organization addresses and manages a security incident, such as a breach. SANS Institute has defined a 5-phase framework for incident response which includes preparation, identification, containment, eradication and recovery. These incident response activities are typically carried out by an organization's CIRT (computer—or cyber—incident response team). The team may partner with other business functions such as public relations and legal.
Corporate response to insider threat incidents
Organizations must be equipped to quickly investigate and respond when insider threats occur. One way to prepare is by creating detailed response plans for incident scenarios. Insider threat scenarios should include high-impact data leak events such as:
- accidental leak of customer information
- an employee leaking strategic files to a competitor
- a contractor taking files at the end of their contract
- files publicly exposed from within Google Drive or another corporate system
- IP theft
- corporate espionage
- malicious destruction of files
Incident response plans should be created and practiced by a cross-functional team with stakeholders from HR, legal, security and public relations. The plans should consider technical capabilities that enable fast detection of insider threat activity. They should also consider the most appropriate response for each scenario. It is common practice for insider threats to require non-technical responses such as personal communication and disciplinary or legal action.
Common challenges with insider threat response
Delayed identification due to poor threat visibility
According to the Verizon Insider Threat Report, the majority of insider threat breaches take months if not years to discover. Code42 research shows these breaches often occur despite having DLP in place. For this reason, security teams are focused on prioritizing faster detection and better threat intelligence.
Difficulty establishing sufficient evidence
Organizations who do not have file-focused protection solutions in place struggle to put together an accurate account following an incident. This makes investigations incredibly time-consuming. Often, security teams must piece together logs from various endpoint and network security tools. Organizations who do not have sufficient evidence may need to spend time and money to perform outsourced computer forensics.
Poor response time
Due to poor detection and long investigation times, the mean time to respond (MTTR) to an insider threat incident is often months after the incident occurred. Unfortunately, poor response times result in even greater reputational and competitive damage. The best way to improve your MTTR is to speed the time it takes to detect and investigate insider threats and prepare detailed response plans for incident scenarios.
Incident response trends
of enterprises do not have an insider threat response process.
of data breaches take months or years to discover.
(Verizon 2019 Insider Threat Report)
of organizations breached by insider threat had a DLP solution in place at the time.
(Code42 Data Exposure Report 2019)