Kaspersky improves response time for high-severity incidents
Kaspersky's recent MDR Analyst report has revealed a significant enhancement in the company's response times to high-severity incidents. The Security Operations Center (SOC) team now requires an average of 36.37 minutes to report high-severity incidents, marking a 17% improvement from previous years. These high-severity incidents typically involve human-driven attacks or malware threats that significantly impact customers' IT systems.
However, the report also noted a slight increase in the average response time for medium-severity incidents, which rose from 30 to nearly 33 minutes. Medium-severity incidents often involve malware without direct human involvement and represent the most frequent type of alerts that the SOC team faces.
Incidents with the lowest severity, often stemming from potentially unwanted software, experienced longer waiting times before being addressed by the SOC team, averaging just over 48 minutes.
The report highlighted the efficiency of the SOC team's response mechanisms, with approximately 74% of incidents resolved after just one alert. This high resolution rate suggested that the SOC's planned response scenarios and attack termination protocols were notably effective. Around 24% of incidents required further attention involving 2 to 10 alerts, typically necessitating manual intervention for issues such as ongoing attacks or phishing campaigns. A small fraction, 2%, of incidents involved more than 10 alerts, usually due to complex threats or cases where the client opted for monitoring only.
Sergey Soldatov, Head of Security Operations Center at Kaspersky, underscored the critical importance of swiftly addressing high-severity incidents to mitigate financial and reputational damages. He remarked, "The high-severity incidents with direct human involvement must be dealt with swiftly and decisively to contain the damage and prevent company's financial and reputational losses. This is why we always aim to reduce the response time to such critical incidents. With the multi-layered protection offered by our MDR, we can continue to fight cyber criminals effectively in this continually shifting threat landscape."
In light of the report's findings, Kaspersky has made several recommendations for organisations aimed at bolstering their cybersecurity posture. These suggestions include regularly inventorying memberships in privileged groups, establishing formal procedures for privileges and access management, and implementing threat hunting practices alongside traditional alert-driven monitoring.
Additionally, Kaspersky advises companies to conduct various cyber exercises to test the effectiveness of their security mechanisms and to adopt a multi-layered security approach. This should encompass robust endpoint protection, network security, and threat intelligence. For organisations lacking dedicated cybersecurity personnel, Kaspersky recommends utilising managed security services like Kaspersky Managed Detection and Response, Kaspersky Compromise Assessment, and Kaspersky Incident Response to ensure comprehensive incident management from threat identification to continuous protection and remediation.
The continued improvements in response times and the high efficiency in addressing incidents highlight Kaspersky's capabilities in managing cybersecurity threats. As cyber threats continue to evolve, such enhancements remain crucial for protecting businesses and critical infrastructure worldwide.