"To stay ahead of today's advanced threats, incident response teams need the tools and techniques that give them greater accuracy, speed and insight," said Tom Field, ISMG editorial vice president.

Click through the following slides for the survey's key findings and how organizations can achieve accuracy, speed and insight for improved protection.

Detection

The survey finds that the problem is not awareness of threats, but the current defenses, or lack thereof. Respondents are largely aware of potential, advanced attacks, but the current defense systems often fail to detect and respond to security incidents.

The responses revealed a low level of "detection efficacy," with 66 percent of respondents struggling to detect attacks in their environment, 62 percent struggling with their speed of detection and 44 percent struggling to accurately confirm the stage, scope and location of breaches.

Malicious codes, such as viruses or worms, were the No. 1 security breach among the survey respodnents. Such breaches can result in financial loss and reputational damage.

System downtime was cited as the most common impact of an incident, but damage to systems, loss or compromise of data and damage to the integrity or delivery of goods or services are also among the repercussions.  

Viruses and Trojans are the predominant forms of malware being detected by organizations, at 44 percent and 34 percent, respectively. However, it is important to consider the types of threats that organizations haven't been able to detect.

Cyberthreats and Response

Cybercrime and advanced persistent threats (APTs) are the types of attacks most feared by survey respondents, but organizations are often unequipped to handle such incidents, even though advanced malware can pose considerable risk.

But it's not just intercepting information and trojanizing software that hackers are after. "Perhaps the most damaging is [hackers] often sell or trade the compromised assets to criminal groups so they can come back in to exfiltrate additional information from that network," said Bill Hau, vice president of FireEye Labs.

Unfortunately, incident response programs generally are not equipped to handle mass security breaches. 60 percent of respondents cited their organization's incident response program to be "reasonably effective," but as the report questions, "is 'reasonably effective' going to ward off attacks?"

Similarly, 60 percent stated that their organization's current anti-malware tools were "reasonably effective," but only 55 percent believe they can detect the exact location of malware in their environment. 14 percent cannot, and an astounding 31 percent "don't know."

Even more unsettling is the number who cannot determine the extent or stage of malware infiltration or propagation. 20 percent answered that they cannot, while 36 percent "don't know."

This speaks directly to a "distinct lack of real-time visibility into endpoints and servers and how they are being compromised." A response team cannot accurately determine the extent of damage if they are unable to achieve effective and timely visibility of infected systems.

And although organizations fear APTs, only half have invested in tools for early detection and response. Less than one-third have an actual APT incident response plan and nearly one-quarter have "no APT-specific measures," leading to the conclusion that response plans need to be further developed, as current defenses are ineffective at providing responses in a timely and accurate manner.

Struggles for Response Teams

Respondents named detection speed, monitoring and situational awareness and accuracy and their top three security challenges. Their top three technical challenges impacting their ability to respond were inability to detect APT or malware threats in time, the inability to determine the extent of malware or APT infiltration and a lack of skills or tools to eradicate and contain a threat.

Acting in real time to threats is at the heart of the issues plaguing organizations in terms of data security. For many companies, timing is a major issue, as a slow response prevents containment. From the indicator of compromise to actual detection, it takes 47 percent a few hours to discover the threat, but a whopping 16 percent do not make the discovery for a few days after the initial incident.

Average time to reach a resolution to the threat after discovery is commonly one to eight hours, but a significant amount of respondents cited up to 5 days, proving there to be inconsistencies between companies' strategies and level of effectiveness in handling threats.

However, many of the respondents, 42 percent, expect their organization's incident response budget to increase and are willing to spend to protect themselves from security incidents. However 51 percent do not believe that their budget will change, while 5 percent believe their budget to be reduced.

Survey results indicated two priorities for spending in the coming year—with training and awareness being the top priority for 31 percent of organizations surveyed closely followed by automated incident detection and containment tools for 25 percent.

The report indicates that spending on automated tools is a good starting point for organizations who are struggling with real-time detection and response, but training and awareness of handling data breaches could go one of two ways. On one side, organizations can do a better job of positioning their employees to be more vigilant about security practices, but other studies reveal that security awareness and training is often a one-time event, resulting in little change.

Improving with Speed, Accuracy and Insight

To improve incident response plans, security leaders must embrace three key concepts: speed, accuracy and insight.

Taking the unknowns out of detection to respond quickly is key. The survey stresses the need for not just tools, but trained personnel. Reliance on real-time detection, response and containment should be a priority.

In terms of accuracy, knowing and responding to the true extent of a breach is necessary. Stronger analytics to know when a malware has infected a system and awareness of potential damage is key in improving the precision and effectiveness of a response team.

Insight aids in prevention. When organizations have proper tools and a well-trained staff, monitoring systems and detecting attacks can assist in containment and improve response. Resolving incidents before they occur should be the ultimate goal of an organization, and if an attack cannot be prevented, response teams should be prepared to limit the potential damage.