10 Reasons Data Breach Detection Takes Weeks, Months4:00 PM EST Thu. Jun. 20, 2013
IT teams are confident in finding attacks in real time, but nearly half of the organizations that experienced a breach in the last year said it took days or weeks to detect, according to a new survey released by McAfee. The survey, conducted by research firm Vanson Bourne, consisted of 500 senior IT decision maker in January 2013, including 200 in the U.S. and 100 each in the U.K., Germany and Australia. The survey findings mirror the Verizon Data Breach Investigations report, which also found most breaches took weeks or months before they were discovered. Data was often taken in seconds or minutes. McAfee said its survey suggests that IT teams are disconnected from security professionals in the organization who are struggling to keep pace with increasingly sophisticated attacks. Here's a look at the top reasons behind the slow rate of data breach detection.
Businesses are vulnerable to security breaches because most don't have the means to properly analyze and store big data, according to McAfee. Mike Fey, president and CTO at McAfee, said far too few organizations have real-time access to data that can provide visibility into threats on the network. On average, organizations are storing approximately 11-15 terabytes of security data a week, according to the study. The amount of data is expected to increase, but organizations are not prepared to properly analyze it to detect issues before they grow out of control.
Phishing is similarly prevalent for both small and large organizations, according to Verizon. Targeted attacks typically begin with a spear phishing email message to a group of employees. It only takes one click to infect a victim's machine, and so far cybercriminals have found phishing messages the most effective way to gain initial access into the corporate network. Ten or more spear phishing messages to an organization almost guarantees that an attacker will get at least one employee to click on a malicious link or open an attachment, according to data collected by ThreatSim, an antiphishing firm.
McAfee and other security firms said state-sponsored cyberespionage attacks using sophisticated malware have been on the rise. The company said the targeted attacks accelerated in the second half of 2012, according to its Fourth Quarter 2012 Threats Report. Malware authors are increasingly designing mechanisms to evade detection. Some threats can lay dormant within a network for months or even years, McAfee said.
McAfee found that organizations are collecting security data and have log management systems in place, but far fewer organizations have the IT staff on hand to proactively monitor system logs for potential problems. The McAfee survey found only 35 percent of businesses have the ability to detect data breaches within minutes. The lack of skilled security staff is forcing some firms to turn to managed services providers for 24/7 monitoring.
Organizations need to take a threat assessment to determine the most likely threat actors that would target the organization's data, according to McAfee. Gaining a better understanding could help organizations apply the appropriate defense mechanisms in place or increase attention on specific systems. Financially motivated cybercriminals target credit card data and account credentials. Hacktivists target website vulnerabilities or conduct distributed denial-of-service attacks. State sponsored cyberespionage attacks are generally after account credentials intellectual property.
Studies on insider threats conducted by the Ponemon Institute and other organizations have found breaches involving insiders to be much more costly to organizations than breaches involving external attackers. Financial institutions, government contractors and state and federal agencies generally monitor employees more closely than other industries. Businesses that work with sensitive organizations should consider tighter controls on employee activity, McAfee said.
Many organizations fail to consider security when establishing business partner relationships with other firms. The Verizon Data Breach Investigations Report found attackers moving down the supply chain to breach business partners. They then use the information gleaned from the attack to conduct more convincing attacks on the targeted organization.
Antivirus alone will not provide the protection necessary to detect threats at the perimeter. McAfee said 78 percent of those surveyed indicated confidence that perimeter threats could be identified in real time. While antivirus offers protection against the most widespread attacks -- typically financially motivated attacks generated by automated toolkits -- other security technologies are necessary to detect threats, including properly configured firewalls and network intrusion prevention appliances.
McAfee said 80 percent of survey participants said they were confident in compliance controls. Maintaining compliance is an important activity, but security experts say compliance does not equal security. Compliance mandates often represent the minimal set of controls that should be placed on specific data, such as credit card transactions or personally identifiable information. The good news, according to Verizon, is that high-profile data breaches have enlightened executives that compliance activities alone can't keep the organization secure.
Organizations are making it easy for attackers to gain access, McAfee said. Remote access systems, a favorite target of attackers, are often left open or protected with weak and default passwords. A recent study conducted by Boston-based vulnerability management vendor Rapid7 found millions of devices connected to the Internet and open to probing. They also contain common vulnerabilities that can be easily exploited. Web application vulnerabilities are also a common pathway into organizations. SaaS-based Web application scanning is available. A Web application firewall that is properly configured and maintained can also help organizations apply a virtual patch while coding errors are fixed.