Needed: Breach detection correction

Taylor Armerding

There is no shame in being breached by a cyber attack -- security experts are unanimous about that. Prevention, while a worthy part of a risk management strategy, will never be 100% successful, given the sophistication and overwhelming volume of attacks.

But there is room for improvement -- vast improvement -- in the detection of breaches. A large majority of enterprises fail to detect breaches on their own -- they find out about them from somebody else, as a couple of recent reports show.

The security firm Mandiant, now part of FireEye, reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.

The results in a report from security firm Trustwave were more encouraging, at least for the time between intrusion and detection -- it found the median was 87 days. But the ability of firms to detect malware in their systems on their own was only 29%, which Karl Sigler, Trustwave's manager of threat intelligence called, "just a horrible statistic in general."

All of which raises a couple of obvious questions: Why are organizations so bad at detecting breaches? And what can and should they be doing to improve?

Mike Parrella, director of operations for managed services at Verdasys, told Dark Reading's Ericka Chickowski almost a year ago that the poor performance was because, "businesses and government alike are filled with idiots and ostriches. People are simply not looking for a leak -- they would rather not look, not be bothered, not spend to solve the problem, and so they are not finding. They prefer to outrun their risk," he said.

Scott Koller, an attorney with the Information Law Group, was much less harsh. He said it is more a matter of not knowing than not caring. Most enterprises take steps to prevent vulnerabilities they know about, he said.

"But when they do suffer a breach, it is the result of a sophisticated attack using a vulnerability they didn't know existed. In light of that, it shouldn't be surprising why enterprises have such a difficult time detecting their own breaches."

Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institution, is also a bit more forgiving, noting that once adversaries have breached the security perimeter of an organization, "it can be exceptionally difficult to find them. At that point, they're using VPN credentials."

But he agrees that there is a lingering misperception about how to deal with modern threats. "There is still a prevalent attitude that it's a technology problem -- that if you deploy proper equipment, that means it (a breach) won't happen," he said.

1  2  3  Next Page