Home / Blogs

Tactics for Responding to Cyber Attacks - Squeezing Your Cyber Response-Curve: Part 2

In part one of this post we introduced the cyber response curve. In this post, we have outlined some observations which illustrate how different level of maturity and approaches can affect your cyber response curve:

Legacy response

Key Statistics:

  1. Time to detect: 18 months
  2. Level of understanding: Poor - since network architectures are not well understood and the business impact of attacks are not considered
  3. Time to informed decision: Weeks to months

The standard AV, IDS and legacy systems used by most organizations are not keeping pace with the evolving threat landscape. Many organizations only become aware of an advanced attack when they are notified by a government agency or another third party.

When investigating such an incident the technical specialists must split their time across the numerous tools, collecting small pieces of information from each, and manually piecing together the details of an attack.

Organizations operating in this manner often respond too quickly before building a good enough understanding of the situation. This can cause the attacker to increase their level of activity, whilst accidentally putting the investigating team back to the start of the response curve. The business exposure actually goes up, not down as a result of their actions.

Effective and efficient investigation

Key Statistics:

  1. Time to detect: 24 hours
  2. Level of understanding: A solid technical understanding of what the attacker has done
  3. Time to informed decision: Minutes to hours

Equipping a technical team with solutions powered by the right technology dramatically compresses the cyber response curve, both in terms of the time to detect and the rate of understanding.

The full benefit to the technical team is realized by bringing together disparate data sources, linking and enriching entities with open and closed source information, pre-computing frequently asked questions and sharing collective knowledge.

Business aware decision-making

Key Statistics:

  1. Time to detect: 24 hours to near real-time
  2. Level of understanding: A complete understanding and management of the business impact
  3. Time to informed decision: Minutes to hours

By bridging the business world with that of the technical team in the security operations center and giving them a common language, tools and understanding, allows teams to not only squeeze their cyber response curve but also to significantly raise their level of understanding, by considering more than just the technical details of an attack.

We see this as an evolution of today’s security operations center rather than a transformation. Done correctly, these benefits can be delivered to existing operational teams rather than requiring the hiring of PhDs, and can unleash the value of existing tool investments rather than requiring the wholesale replacement of technology.

What you can do today to squeeze your cyber response curve

The more preparation you do to be able to squeeze the cyber response curve, the better able you are to deal with an attack. In summary:

  • Understand the threats to your business and identify the techniques you will need to detect them reliably and promptly
  • Collect, collate and store as much relevant data as is affordable in advance of an attack to enable you to reach the right level of understanding to respond effectively
  • Have people, processes, tools and partners ready to allow you to efficiently detect, investigate and respond to attacks
  • Understand the business context and business impact of a potential attack, and educate your executive board so that they can make informed decisions.

Are you ready to squeeze your cyber response curve?

By Colin McKinty, Americas Regional Director, Cyber at BAE Systems Detica

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byDNIB.com