White Paper

Why Is Incident Response a Critical Cybersecurity Consideration?

With breaches almost inevitable, organizations need resilience against cyberthreats.
by: Nick Nelson |

The cybersecurity landscape changes rapidly.

Modern organizations face unprecedented threats to their critical information assets and data. In previous years, the mindset of many cybersecurity professionals and business leaders was focused on avoiding attacks and building a strong perimeter to deflect them. However, more recently this approach has shifted, and these leaders now understand that attacks are inevitable. With this fundamental shift in thinking, cybersecurity professionals must build strong incident response programs that are capable of detecting threats in a timely manner and responding effectively when they occur.

Approaches to incident response may vary by organization, but at its core, incident response is a structured and coordinated approach to handling security breaches. This response occurs with the aim of moving as quickly and efficiently as possible from the initial detection of an incident to final resolution. Strong, well-coordinated incident response efforts achieve this with as little impact on business operations as possible, allowing the organization to balance business requirements with cybersecurity objectives.


The percentage of organizations that say they lack the budget to obtain the tools and technologies needed to support incident response 

Source: SANS Institute, “SANS 2019 Incident Response (IR) Survey: It’s Time for a Change,” July 2019

The World Has Changed

Dramatic changes in the cybersecurity threat landscape began to alter the philosophy of cybersecurity professionals in recent years. While they once had the goal of building impenetrable defenses to keep attackers at bay, the greater sophistication of adversaries and the increased complexity of operating environments have rendered this approach virtually impossible. Organizations are left with one overarching security problem: There is simply no way to guarantee that they will be able to keep cybercriminals from establishing a foothold within their organization’s technology environment. The threat is real, and the risk of compromise is no longer a matter of if, but when.

This new environment is the result of a combination of factors coming together at the same time. First, cybersecurity threat actors have become far more sophisticated. Nation-states and cybercriminals now leverage vast networks of attackers with advanced capabilities. These capabilities allow attackers to penetrate virtually any target, given enough time and patience. Second, these actors are targeting a broad range of interests. While advanced persistent threats once focused exclusively on high-value government targets, their reach now extends to businesses and nonprofits with information or resources that might advance the attacker’s interests. As a result, organizations of all sizes are paying significantly more attention to cybersecurity. A robust security program is no longer a “nice to have” item but a strategic imperative.

From Perimeter Defense to Defense in Depth

At the same time that the threat environment changed, the technology environments of every organization across all industries became more complex. In the old model of computing, employees traveled to work in a central office every day and used the computers sitting on their desks to access servers maintained in the data center located in the building’s basement. In today’s business environment, users are spread around the world and need to access information at all times of the day and night from both corporate and personal devices. That data is no longer contained in a single data center but spread across multiple data centers and cloud service providers.

Defending the network of yesterday was a fairly straightforward task. Network security professionals built a strong perimeter around an organization’s physical facilities and focused their efforts on keeping unauthorized people from accessing internal resources. Today, this perimeter approach has become ineffective. There are simply far too many endpoints distributed in far too many locations to make it practical to build this type of monolithic defense. When attackers have many potential targets, they can simply turn their attention to the weakest link in the chain to establish a foothold in an organization. Why attack a well-defended perimeter when they can simply launch a phishing attack against an administrative assistant instead?

The defense-in-depth approach to cybersecurity addresses this issue. Instead of relying on a few monolithic security controls, organizations build a set of overlapping controls designed to achieve the same objective. If one control fails, the others can pick up the slack. While it might not be possible to prevent all attacks from succeeding, the defense-in-depth approach makes the attacker’s job harder and provides defenders with more time to potentially detect and deflect an attack. Minimizing dwell time, the time that an attacker remains on a network undetected, becomes crucial because the longer the dwell time, the more damage an attacker can do. A 2020 report from FireEye determined that the median global dwell time fell from 78 days in 2018 to 56 days in 2019. Among the factors the report identified as contributing to this decline were “the vigilance of security staff and investments in advanced technology and managed detection and response (MDR) services.”

In the end, it all comes down to preparedness. Organizations that think about incident response in advance find themselves much better positioned to react when an incident occurs. They have asset tracking and other security controls in place that provide visibility into their operating environments. They understand their priorities and can quickly determine what data and systems are essential as they work to restore operations after a security incident.

The stark reality is that many organizations have not tested their incident detection and response capabilities. They don’t know what tools they have at their disposal or how to use them properly during an incident response effort. This slows down response activities in an environment where quick detection and response are critical to protecting data. Attackers who are skilled and organized can take advantage of unprepared targets and extend their dwell time, allowing them to steal money, intellectual property and sensitive information.

To learn more about how you can improve your incident response, read the CDW white paper “The Need for Effective Incident Response.”