Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/10/2019
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Still Outpace Breach Detection, Containment Efforts

Research shows time to discovery and containment of breaches slowly shrinking, but attackers don't need a very big window to do a lot of damage.

It's breach report season and one of the prevailing trends uncovered by security researchers is that organizations are ever-so-slowly improving the window between when a compromise occurs and when it gets detected. In spite of this slight gain, the fact solidly remains that the typical breach timeline still completely favors attackers. 

Two different reports this spring showed that organizations are shortening the time to discovery of data breaches. Most recently, the Trustwave 2019 Global Security Report released late last month found that the time between an intrusion and detection of that incident shrank almost in half. That study showed that the median time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018.  

This corroborates the downward trend in this statistic identified in March by the FireEye 2019 Mandiant M-Trends Report, though that study showed a more modest reduction and a much higher time between these important breach milestones. Mandiant found that the time between intrusion and detection went down from 101 days in 2017 to 78 days in 2018. That's marked improvement from 2011, when Mandiant put that number at 426 days.

Mandiant uses a common parlance of "dwell time" for this statistic, though other experts have their own colorful terms. But they all agree that reduction should be a big priority for cybersecurity teams.  

"We refer to the time between compromise and discovery as the 'detection deficit,' and a prime goal should be to have the delta between the two be as small as possible," explained Bob Rudis, chief data scientist for Rapid7, in a blog post this week. "Note that it's not the only goal—nor should it be the entire focus of your response plans—but it should be 'up there' on any top 'x' list you have."

One of many industry contributors to the 2019 Verizon Data Breach Investigations Report (DBIR) released yesterday, Rudis pointed out that this year's report shows that this detection deficit is often not even accurately measured at many organizations, which means they're "already ceding the game's outcome" to adversaries.

More tellingly, though, this latest DBIR shows that even with reductions like those outlined in the Trustwave and Mandiant reports, the bad guys are in another league when it comes to speed.  

"The time from the attacker's first action in an event chain to the initial compromise of an asset is typically measured in minutes," the 2019 DBIR report said. "Conversely, the time to discovery is more likely to be months."

Asymmetric Battleground

different report out last month from Ponemon Institute and IBM on cyber resilience indicates that security automation is the most likely way that the security world can effectively win this asymmetric battle over dwell time.

That study showed that many gains that are being made in shortening the window between intrusion and detection are due to automation: automation improved detection and containment times by 25%. However, most organizations studied admitted they only use automation moderately, insignificantly, or not at all. Just 23% of respondents are significant users of automated tools that can reduce incident detection and response times, the study found.

Meantime, after organizations have detected and contained an event, they're also grappling with disclosure times. This is a big issue for regulators and lawmakers these days, what with rollout of GDPR this year and rumblings of potential new laws in the US to mandate shorter disclosure times.

report released this week by Risk Based Security showed that while the time window between discovery and reporting has fallen quite a bit since 2014, that number may be on the uptick. Last year the time interval increased ever so slightly—by exactly one day—up to an average of 49.6 days. That was after a fall of more than 12 days the previous year.

The report showed that activity in first quarter of 2019 says we might be seeing a big jump in the average by the end of 2019. In the first quarter of 2019, that number increased to 54 days. 

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/13/2019 | 12:57:23 PM
Infections too can happen in seconds
While we poor, slow humans take longer to respond.  This is where automated response and A-I can really be of value and then Human beings can evaluate further actions.  When an infection attack occurs at 3:45 a.m. too, well, nobody is watching.  I wasn't.  
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.