Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/10/2019
09:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Hackers Still Outpace Breach Detection, Containment Efforts

Research shows time to discovery and containment of breaches slowly shrinking, but attackers don't need a very big window to do a lot of damage.

It's breach report season and one of the prevailing trends uncovered by security researchers is that organizations are ever-so-slowly improving the window between when a compromise occurs and when it gets detected. In spite of this slight gain, the fact solidly remains that the typical breach timeline still completely favors attackers. 

Two different reports this spring showed that organizations are shortening the time to discovery of data breaches. Most recently, the Trustwave 2019 Global Security Report released late last month found that the time between an intrusion and detection of that incident shrank almost in half. That study showed that the median time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018.  

This corroborates the downward trend in this statistic identified in March by the FireEye 2019 Mandiant M-Trends Report, though that study showed a more modest reduction and a much higher time between these important breach milestones. Mandiant found that the time between intrusion and detection went down from 101 days in 2017 to 78 days in 2018. That's marked improvement from 2011, when Mandiant put that number at 426 days.

Mandiant uses a common parlance of "dwell time" for this statistic, though other experts have their own colorful terms. But they all agree that reduction should be a big priority for cybersecurity teams.  

"We refer to the time between compromise and discovery as the 'detection deficit,' and a prime goal should be to have the delta between the two be as small as possible," explained Bob Rudis, chief data scientist for Rapid7, in a blog post this week. "Note that it's not the only goal—nor should it be the entire focus of your response plans—but it should be 'up there' on any top 'x' list you have."

One of many industry contributors to the 2019 Verizon Data Breach Investigations Report (DBIR) released yesterday, Rudis pointed out that this year's report shows that this detection deficit is often not even accurately measured at many organizations, which means they're "already ceding the game's outcome" to adversaries.

More tellingly, though, this latest DBIR shows that even with reductions like those outlined in the Trustwave and Mandiant reports, the bad guys are in another league when it comes to speed.  

"The time from the attacker's first action in an event chain to the initial compromise of an asset is typically measured in minutes," the 2019 DBIR report said. "Conversely, the time to discovery is more likely to be months."

Asymmetric Battleground

different report out last month from Ponemon Institute and IBM on cyber resilience indicates that security automation is the most likely way that the security world can effectively win this asymmetric battle over dwell time.

That study showed that many gains that are being made in shortening the window between intrusion and detection are due to automation: automation improved detection and containment times by 25%. However, most organizations studied admitted they only use automation moderately, insignificantly, or not at all. Just 23% of respondents are significant users of automated tools that can reduce incident detection and response times, the study found.

Meantime, after organizations have detected and contained an event, they're also grappling with disclosure times. This is a big issue for regulators and lawmakers these days, what with rollout of GDPR this year and rumblings of potential new laws in the US to mandate shorter disclosure times.

report released this week by Risk Based Security showed that while the time window between discovery and reporting has fallen quite a bit since 2014, that number may be on the uptick. Last year the time interval increased ever so slightly—by exactly one day—up to an average of 49.6 days. That was after a fall of more than 12 days the previous year.

The report showed that activity in first quarter of 2019 says we might be seeing a big jump in the average by the end of 2019. In the first quarter of 2019, that number increased to 54 days. 

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/13/2019 | 12:57:23 PM
Infections too can happen in seconds
While we poor, slow humans take longer to respond.  This is where automated response and A-I can really be of value and then Human beings can evaluate further actions.  When an infection attack occurs at 3:45 a.m. too, well, nobody is watching.  I wasn't.  
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Who replaced the "Scroll Lock" key with a "Screen Lock" key?
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
CVE-2019-11644
PUBLISHED: 2019-05-17
In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premi...