Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/10/2019
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Still Outpace Breach Detection, Containment Efforts

Research shows time to discovery and containment of breaches slowly shrinking, but attackers don't need a very big window to do a lot of damage.

It's breach report season and one of the prevailing trends uncovered by security researchers is that organizations are ever-so-slowly improving the window between when a compromise occurs and when it gets detected. In spite of this slight gain, the fact solidly remains that the typical breach timeline still completely favors attackers. 

Two different reports this spring showed that organizations are shortening the time to discovery of data breaches. Most recently, the Trustwave 2019 Global Security Report released late last month found that the time between an intrusion and detection of that incident shrank almost in half. That study showed that the median time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018.  

This corroborates the downward trend in this statistic identified in March by the FireEye 2019 Mandiant M-Trends Report, though that study showed a more modest reduction and a much higher time between these important breach milestones. Mandiant found that the time between intrusion and detection went down from 101 days in 2017 to 78 days in 2018. That's marked improvement from 2011, when Mandiant put that number at 426 days.

Mandiant uses a common parlance of "dwell time" for this statistic, though other experts have their own colorful terms. But they all agree that reduction should be a big priority for cybersecurity teams.  

"We refer to the time between compromise and discovery as the 'detection deficit,' and a prime goal should be to have the delta between the two be as small as possible," explained Bob Rudis, chief data scientist for Rapid7, in a blog post this week. "Note that it's not the only goal—nor should it be the entire focus of your response plans—but it should be 'up there' on any top 'x' list you have."

One of many industry contributors to the 2019 Verizon Data Breach Investigations Report (DBIR) released yesterday, Rudis pointed out that this year's report shows that this detection deficit is often not even accurately measured at many organizations, which means they're "already ceding the game's outcome" to adversaries.

More tellingly, though, this latest DBIR shows that even with reductions like those outlined in the Trustwave and Mandiant reports, the bad guys are in another league when it comes to speed.  

"The time from the attacker's first action in an event chain to the initial compromise of an asset is typically measured in minutes," the 2019 DBIR report said. "Conversely, the time to discovery is more likely to be months."

Asymmetric Battleground

different report out last month from Ponemon Institute and IBM on cyber resilience indicates that security automation is the most likely way that the security world can effectively win this asymmetric battle over dwell time.

That study showed that many gains that are being made in shortening the window between intrusion and detection are due to automation: automation improved detection and containment times by 25%. However, most organizations studied admitted they only use automation moderately, insignificantly, or not at all. Just 23% of respondents are significant users of automated tools that can reduce incident detection and response times, the study found.

Meantime, after organizations have detected and contained an event, they're also grappling with disclosure times. This is a big issue for regulators and lawmakers these days, what with rollout of GDPR this year and rumblings of potential new laws in the US to mandate shorter disclosure times.

report released this week by Risk Based Security showed that while the time window between discovery and reporting has fallen quite a bit since 2014, that number may be on the uptick. Last year the time interval increased ever so slightly—by exactly one day—up to an average of 49.6 days. That was after a fall of more than 12 days the previous year.

The report showed that activity in first quarter of 2019 says we might be seeing a big jump in the average by the end of 2019. In the first quarter of 2019, that number increased to 54 days. 

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/13/2019 | 12:57:23 PM
Infections too can happen in seconds
While we poor, slow humans take longer to respond.  This is where automated response and A-I can really be of value and then Human beings can evaluate further actions.  When an infection attack occurs at 3:45 a.m. too, well, nobody is watching.  I wasn't.  
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32697
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
CVE-2020-19510
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
CVE-2020-19511
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2021-21422
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177