It's breach report season and one of the prevailing trends uncovered by security researchers is that organizations are ever-so-slowly improving the window between when a compromise occurs and when it gets detected. In spite of this slight gain, the fact solidly remains that the typical breach timeline still completely favors attackers.
Two different reports this spring showed that organizations are shortening the time to discovery of data breaches. Most recently, the Trustwave 2019 Global Security Report released late last month found that the time between an intrusion and detection of that incident shrank almost in half. That study showed that the median time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018.
This corroborates the downward trend in this statistic identified in March by the FireEye 2019 Mandiant M-Trends Report, though that study showed a more modest reduction and a much higher time between these important breach milestones. Mandiant found that the time between intrusion and detection went down from 101 days in 2017 to 78 days in 2018. That's marked improvement from 2011, when Mandiant put that number at 426 days.
Mandiant uses a common parlance of "dwell time" for this statistic, though other experts have their own colorful terms. But they all agree that reduction should be a big priority for cybersecurity teams.
"We refer to the time between compromise and discovery as the 'detection deficit,' and a prime goal should be to have the delta between the two be as small as possible," explained Bob Rudis, chief data scientist for Rapid7, in a blog post this week. "Note that it's not the only goal—nor should it be the entire focus of your response plans—but it should be 'up there' on any top 'x' list you have."
One of many industry contributors to the 2019 Verizon Data Breach Investigations Report (DBIR) released yesterday, Rudis pointed out that this year's report shows that this detection deficit is often not even accurately measured at many organizations, which means they're "already ceding the game's outcome" to adversaries.
More tellingly, though, this latest DBIR shows that even with reductions like those outlined in the Trustwave and Mandiant reports, the bad guys are in another league when it comes to speed.
"The time from the attacker's first action in an event chain to the initial compromise of an asset is typically measured in minutes," the 2019 DBIR report said. "Conversely, the time to discovery is more likely to be months."
A different report out last month from Ponemon Institute and IBM on cyber resilience indicates that security automation is the most likely way that the security world can effectively win this asymmetric battle over dwell time.
That study showed that many gains that are being made in shortening the window between intrusion and detection are due to automation: automation improved detection and containment times by 25%. However, most organizations studied admitted they only use automation moderately, insignificantly, or not at all. Just 23% of respondents are significant users of automated tools that can reduce incident detection and response times, the study found.
Meantime, after organizations have detected and contained an event, they're also grappling with disclosure times. This is a big issue for regulators and lawmakers these days, what with rollout of GDPR this year and rumblings of potential new laws in the US to mandate shorter disclosure times.
A report released this week by Risk Based Security showed that while the time window between discovery and reporting has fallen quite a bit since 2014, that number may be on the uptick. Last year the time interval increased ever so slightly—by exactly one day—up to an average of 49.6 days. That was after a fall of more than 12 days the previous year.
The report showed that activity in first quarter of 2019 says we might be seeing a big jump in the average by the end of 2019. In the first quarter of 2019, that number increased to 54 days.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.