What’s to be done about data breach discovery?

The time from first contact by cyber attackers to the victim learning of it is still measured in months and years, not hours and days

This article can also be found in the Premium Editorial Download: Computer Weekly: Business value from the internet of things

The time from initial compromise by cyber attackers to when the victim first learns of the incident continues to be measured in months and even years, not hours and days, according to Verizon's recently released 2013 Data Breach Investigations Report (DBIR). What does this mean for business? 

According to the Verizon report, 66% of breaches in the past year took months or more to discover breaches, which means most attackers are able to exfiltrate data and scout around in the IT systems of a targeted business for weeks before they are discovered.

While intrusion prevention is crucial, the DIBR says businesses must accept the fact that no barrier is impenetrable. Detection and response represents a critical line of defence.

According to Verizon, businesses need to stop treading detection and response like a backup plan if things go wrong. Instead, businesses should make detection and response capabilities a core part of their security plan. 

Logging and monitoring, for example, are critical to detecting activity that could lead to a breach and preventing or minimising the damage from a breach, said Patrick Harbauer, senior security consultant at mobile and cloud security firm Neohapsis.

Attackers have unlimited resources and time to poke and prod organisations once they have gained access to the network.

“The only hope is to invest in qualified people and automated tools so that the organisation can monitor its systems for malicious activity,” he said.

Fresh approach to security

Organisations also need to network with other security organisations and professionals to gain advantage from sharing knowledge and intelligence, said Harbauer.

With businesses moving increasing amounts of computing activity into cloud environments, they essentially need to adopt a new security paradigm, according to Eric Chiu, president and founder of virtualisation security firm HyTrust.

“We need to turn our security paradigm around from an "outside-in" threat perspective, which has proven inefficient and largely ineffective, to an "inside-out" view that addresses both insider and outsider advanced threats,” Chiu said.

Chiu believes that future of monitoring lies in role-based systems. “Role-based monitoring (RBM) is the fastest, strongest and most certain method of identifying threats with 98% accuracy, he said.

This is especially true in cloud environments where 'super admins' have 'super access' to everything, which would enable them to copy every virtual machine and tamper with controls, said Chiu.

“It's time to rethink security, in line with emerging technologies and change the way we do business,” he said.

External notification

Underlining the need for change even further, the Verizon DBIR also revealed that around 70% of breaches are discovered by external parties who then notified the victim.

They report said that, while this is better than the 92% observed the previous year, the fact remains that internal detection capability is still lacking.

Victims of breaches are commonly notified by internet service providers (ISPs), information security advisory committees (ISACs), and intelligence organisations that track threat actors, the DBIR said.

The suspicious activity detected often involves communication to and from malicious IP addresses and domains associated with known threat groups .

Due to the effectiveness of monitoring indicators of compromise (IOCs) for state-affiliated groups, this method accounts for the discovery of many of the espionage-related breaches in the DBIR.

Third-party fraud detection is the top way financially motivated attacks are detected, the report said, especially for smaller retail or food services establishments, which have fewer human and technical resources to deter and detect attacks.

The problem is that third-party detection only kicks in after fraud has begun, using stolen payment card data.

Users most effective internal detectives

According to the DBIR, users represent the most effective means of detecting a breach internally.

“Typically, this involves a regular employee who, in the course of their daily responsibilities, notices something strange – such as slower system performance or an e-mail that looks suspicious – and alerts IT or management,” the report said.

According to Verizon, consistently collecting and maintaining the right data sources provides an organisation with a resource from which to mine for IOCs, and a basic foundation for a stronger investigation .

Businesses should be clear about what level of logging their host-based security systems have, what data they are logging on the network, and how long this data is retained.

Retention time is also a crucial factor in light of the fact that most data breaches are not discovered for weeks or months, the report said.

Although the victim’s own data sources are an important element of an investigation, the data provided by external parties can also be of great value.

The findings of the report show that monitoring systems, data logging, external data sources, information sharing and user awareness are all areas that require attention to reduce the attackers window of opportunity.

Read more on Data breach incident management and recovery

Data Center
Data Management