Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/10/2019
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Still Outpace Breach Detection, Containment Efforts

Research shows time to discovery and containment of breaches slowly shrinking, but attackers don't need a very big window to do a lot of damage.

It's breach report season and one of the prevailing trends uncovered by security researchers is that organizations are ever-so-slowly improving the window between when a compromise occurs and when it gets detected. In spite of this slight gain, the fact solidly remains that the typical breach timeline still completely favors attackers. 

Two different reports this spring showed that organizations are shortening the time to discovery of data breaches. Most recently, the Trustwave 2019 Global Security Report released late last month found that the time between an intrusion and detection of that incident shrank almost in half. That study showed that the median time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018.  

This corroborates the downward trend in this statistic identified in March by the FireEye 2019 Mandiant M-Trends Report, though that study showed a more modest reduction and a much higher time between these important breach milestones. Mandiant found that the time between intrusion and detection went down from 101 days in 2017 to 78 days in 2018. That's marked improvement from 2011, when Mandiant put that number at 426 days.

Mandiant uses a common parlance of "dwell time" for this statistic, though other experts have their own colorful terms. But they all agree that reduction should be a big priority for cybersecurity teams.  

"We refer to the time between compromise and discovery as the 'detection deficit,' and a prime goal should be to have the delta between the two be as small as possible," explained Bob Rudis, chief data scientist for Rapid7, in a blog post this week. "Note that it's not the only goal—nor should it be the entire focus of your response plans—but it should be 'up there' on any top 'x' list you have."

One of many industry contributors to the 2019 Verizon Data Breach Investigations Report (DBIR) released yesterday, Rudis pointed out that this year's report shows that this detection deficit is often not even accurately measured at many organizations, which means they're "already ceding the game's outcome" to adversaries.

More tellingly, though, this latest DBIR shows that even with reductions like those outlined in the Trustwave and Mandiant reports, the bad guys are in another league when it comes to speed.  

"The time from the attacker's first action in an event chain to the initial compromise of an asset is typically measured in minutes," the 2019 DBIR report said. "Conversely, the time to discovery is more likely to be months."

Asymmetric Battleground

different report out last month from Ponemon Institute and IBM on cyber resilience indicates that security automation is the most likely way that the security world can effectively win this asymmetric battle over dwell time.

That study showed that many gains that are being made in shortening the window between intrusion and detection are due to automation: automation improved detection and containment times by 25%. However, most organizations studied admitted they only use automation moderately, insignificantly, or not at all. Just 23% of respondents are significant users of automated tools that can reduce incident detection and response times, the study found.

Meantime, after organizations have detected and contained an event, they're also grappling with disclosure times. This is a big issue for regulators and lawmakers these days, what with rollout of GDPR this year and rumblings of potential new laws in the US to mandate shorter disclosure times.

report released this week by Risk Based Security showed that while the time window between discovery and reporting has fallen quite a bit since 2014, that number may be on the uptick. Last year the time interval increased ever so slightly—by exactly one day—up to an average of 49.6 days. That was after a fall of more than 12 days the previous year.

The report showed that activity in first quarter of 2019 says we might be seeing a big jump in the average by the end of 2019. In the first quarter of 2019, that number increased to 54 days. 

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/13/2019 | 12:57:23 PM
Infections too can happen in seconds
While we poor, slow humans take longer to respond.  This is where automated response and A-I can really be of value and then Human beings can evaluate further actions.  When an infection attack occurs at 3:45 a.m. too, well, nobody is watching.  I wasn't.  
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.