7 Need-To-Know Attack Stats
Facts & figures about average dwell times, incident response speeds, and which direction the 'detection deficit' is heading.
June 21, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5148aba56cef4c64/64f0da35420f8c6995c3b2ad/01-calendar.jpeg?width=700&auto=webp&quality=80&disable=upscale)
In information security and incident response, time is of the essence. The longer it takes to discover and remediate breaches, the more time attackers have to slowly bleed an organization of valuable information, set up persistence on the network, and otherwise wreak havoc without worry of repercussion.
Numerous security research and consultancies have established benchmarks for the average amount of time it takes to discover that attackers are operating within an infrastructure. The numbers vary from bad to worse. Take a look as Dark Reading explores some of the estimates, along with a few facts and figures about how costly long dwell times can be for organizations.
Average Dwell Time
The experts at Mandiant, a FireEye company, have long been one of the most cited sources estimates of how long attackers dwell inside a victim's computing environment. This year in its M-Trends report, Mandiant noted that dwell time went down in 2015 from over 200 days down to 146 days.
Estimates last week from the most recent Ponemon Cost of Data Breach report, however, show longer dwell time among those surveyed. The study reported a dwell time of 201 days.
Dwell Time If You Find Attackers Yourself
How a breach is discovered has a huge dwell time implications, according to Mandiant data. Breaches discovered internally tend to be sniffed out within 56 days. Those that are discovered by third parties -- partners, customers or law enforcement -- are usually long in the tooth, with an average of about 320 days.
Fortunately, organizations are beginning to do a better job at rooting out infections themselves. The ratio of internal discovery compared to external is going up, according to Mandiant.
Amount Saved By Finding Intrusion Faster
According to Ponemon, the longer it takes to find and resolve a breach, the more costly it will be for an organization. Breaches identified in fewer than 100 days cost companies an average of about $1 million less than those that take more than 100 days to be discovered.
Victims Whose Data Was Exfiltrated Within Days of Intrusion
While enterprises are slow to detect incidents and breaches, the bad guys are acting fast. According to the 2016 Verizon Data Breach Investigation Report (DBIR), the time from attack to compromise and attack to exfiltration is rarely longer than a few days.
Time To Contain Breach After Discovery
Of course, detecting a breach is only the first step in remediation. According to Ponemon, it takes on average another 70 days to contain the breach once it has been discovered.
The speediness of data exfiltration and the slow speed of attack discovery leads to what Verizon calls the detection deficit, one which continues to grow.
The speediness of data exfiltration and the slow speed of attack discovery leads to what Verizon calls the detection deficit, one which continues to grow.
In information security and incident response, time is of the essence. The longer it takes to discover and remediate breaches, the more time attackers have to slowly bleed an organization of valuable information, set up persistence on the network, and otherwise wreak havoc without worry of repercussion.
Numerous security research and consultancies have established benchmarks for the average amount of time it takes to discover that attackers are operating within an infrastructure. The numbers vary from bad to worse. Take a look as Dark Reading explores some of the estimates, along with a few facts and figures about how costly long dwell times can be for organizations.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024