08:00 PM
Connect Directly

Report: Slow Detection, Slow Response

One-third of network security hacks are not discovered for hours, a report says.

More than one-third of data breaches aren't detected for hours, and recovering from a breach takes anywhere from days to months, a new survey says.

"The mean time to respond is the focus now," says Paul Nguyen, president of global security solutions for CSG Invotas, which sponsored the survey conducted by IDC. "We've seen a significant rise in the volume of incidents corporations have to deal with. This increasing tide has caused a gap between how much security operations can handle to be effective and how to bridge the gap and reduce response times."

The survey included security decision makers at firms with 500 or more employees. Some 61% say they are looking into ways to trim the time it takes to respond to a security event, and most say that trimming their response to a security breach or event helps protect the company's reputation and customer data.

One-fourth are in favor of automating some security processes, and they already use automation tools where possible, while 57% say they are "somewhat" comfortable automating some security processes, though with security teams involved, as well. Some 30% of security workflows are automated today, and two-thirds of companies say they will automate more elements in the next year.

The full survey is available for download here (registration required).

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 3:50:47 PM
Re: Customer Relations
From a PR perspective, I hope that most companies are coming to the conclusion that they are better off getting out in front of the problem of a data breach, because it's going to come our eventually anyway. From a cybersecurity standpoint, I'm with @securityaffairs, when the effect of a data breach are discovered too late, the losses are often much greater. So a fast response is warranted on both counts.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 2:58:18 PM
Re: Customer Relations
That's a really good point, @Whoopty. The sooner customers get word, the better for their privacy and financial security AND the rep of the breached company. Not all companies see it that way, though.
User Rank: Ninja
6/13/2014 | 2:48:08 PM
Not surprised
The issue mentioned in the post is considered one of the greatest problems of the threat mitigation. Slow detection is the primary cause of losses ... in many cases the effects of a data breach or of a cyber attack are discovered too late, in other cases they will never be discovered.

It is necessary a layered approach to security to detect early the cyber threat.

Christian Bryant
Christian Bryant,
User Rank: Ninja
6/13/2014 | 1:19:46 PM
Re: Customer Relations

Amen to that, brother.  There's nothing more frustrating than working for a company that not only won't own up out of fear of losing credibility, or more important to them, customers, but to see the same thing happen again and again.  If they would only have come clean the first time, a solution might have come from other sources that actually works instead of trying to solve the problem on their own... 
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/13/2014 | 1:03:12 PM
Human vs Machine
I suspect there is a wide variety of conditions that lend to delayed response times from org to org.  For instance, I believe in a DevOps style security team, where you have security-oriented developers, hackers with experience on the systems doing real-time auditing and partial forensics on suspicious behavior, even if it isn't popping up on an alarm generated by the automated security suite; I also believe pushing the boundaries of your own network and apps but pen-testing.

However, I suspect there is a combination of lack of resources to pull off a team like this, and finding folks with the right set of expertise to bring it all together.  I'd be curious to see just how much longer delays in responding to intrusions are for companies with nothing but automated security software protecting them compared to real humans actively reviewing logs, watching/sniffing network traffic and auditing user activity.  I'm guessing leaving everything up to a collection of apps has the longer intrusion response time...
User Rank: Moderator
6/13/2014 | 12:10:32 PM
Customer Relations
As much as I'd like to see security teams responding to issues in a more timely manner, whether it's automated or manual, I'm more interested in seeing better customer relations, with companies owning up when their security has been breached. 

Just as the company that's been hacked stands to lose data and resources from a hack, customers of that firm are also at risk, yet too often those that are breached either cover it up or wait a long time to let anyone know, meaning the problem is compounded.

Come clean about your security issues and everyone will feel far more accepting of them. 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 7:45:29 AM
Re: hours
I know, @Brian. The report didn't drill down into types of events, so finding malware was lumped into this question from what I understand. It's the more advanced attacks that are tougher to detect (the ones that AV does not sniff out), and these numbers were more inclusive of non-advanced events as well.

User Rank: Ninja
6/13/2014 | 12:32:15 AM
I am surprised to even see this talked about in hours. I have seen reports talking about weeks and months. The Verizon report for example talked about something like 60 percent of breaches going undetected for months after an attack.

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.