Every year Kaspersky prepares a report based on the results of the analysis of MDR incidents identified by the Kaspersky SOC team. In this report, experts highlight incidents that require action from customers, divided them into high, medium and low-severity types. High-severity incidents mean human-driven attacks, or malware threats that have a significant impact on the customer’s IT systems. Medium-severity incidents have no evidence of direct human involvement in the attack, but may affect the customer’s infrastructure without severe consequences, while low-severity incidents do not affect customer’s IT systems, but require a number of precautionary measures to be taken.
According to the recent Kaspersky MDR Analyst report, in 2023 Kaspersky SOC team needed an average of 36.37 minutes to report high-severity incidents – 17% faster than in previous years. Medium-severity incidents, which are often due to malware and are the most common, saw an increase in response times from 30 to almost 33 minutes that is explained by the general increase in such types of incidents.
Finally, the occurrences with the lowest severity, normally the consequences of potentially unwanted software, spent more time in the queue before being analyzed by SOC team, resulting in a waiting time of just over 48 minutes.
As for the response efficiency, approximately 74% of incidents were resolved after just one alert[1], indicating clear response scenarios and the effective termination of attacks.
Around 24% of incidents required attention based on 2-10 alerts, indicating cases where automatic resolution was not sufficient and required a human specialist involvement. Examples include ongoing attacks like the exploitation attempts following a network compromise or phishing campaigns, which often require manual investigation after multiple alerts.
A small proportion (2%) of incidents involved more than 10 alerts. Reasons included complex threats requiring thorough investigation before action or situations where the customer opted for monitoring only, such as in cyber exercises.
“The high-severity incidents with direct human involvement must be dealt with swiftly and decisively to contain the damage and prevent company’s financial and reputational losses. This is why we always aim to reduce the response time to such critical incidents. With the multi-layered protection offered by our MDR, we can continue to fight cyber criminals effectively in this continually shifting threat landscape,” said Sergey Soldatov, Head of Security Operations Center at Kaspersky.
In response to the findings of the MDR analysis, Kaspersky recommends organizations the following:
- ?arry out regular inventory of membership in privileged groups, to have a formal procedure for privileges and access management.
- Implement threat hunting practices in combination with classic alert-driven monitoring.
- Conduct a range of cyber exercises to test the efficiency of security mechanisms used in your company.
- Adopt a multi-layered security approach to guard against incidents. This includes robust endpoint protection, network security, and threat intelligence working with cybersecurity experts.
- If case a company lacks dedicated cyber security staff, use managed security services such as Kaspersky Managed Detection and Response(MDR), Kaspersky Compromise Assessment and Kaspersky Incident Response to get additional expertise and cover the entire incident management cycle from threat identification to continuous protection and remediation.
To learn more insights from Kaspersky MDR Analyst report 2023, please follow the link.
[1] An alert is an event in the organization’s IT infrastructure that is marked as unusual or suspicious, and that may pose a threat to the security of the organization’s IT infrastructure.