Data breach discovery takes 'weeks or months'

A new report confirms what's long been feared - businesses take too long to recognise and react to a data breach.

Data breach discovery takes 'weeks or months'
Data breach discovery takes 'weeks or months'

In its 2014 Data Breach Investigations Report – the seventh it has carried out since 2004, Verizon claims that no organisation is immune from a data breach, and details that 92 percent of security incidents are down to nine basic patterns.

Worse still, just three threat patterns cover 72 percent of security incidents across any industry. Approximately 75 percent of financial sector incidents come from web applications attacks, DDoS attacks and card skimming, while most attacks in the retail industry are tied to DDoS (33 percent) and POS intrusions (31 percent). DDoS attacks were so prevalent in 2013 that Verizon has dedicated the attack method its own study section for the first time.

Other highlights from the report include the finding that there were 1,367 data breaches in 95 countries over the last year, and that cyber espionage activity grew four-fold.

For all this, however, the standout point – as touched on by several Verizon analysts – was that data breach discovery often takes ‘weeks or months', allowing hackers to compromise the system and search for valuable data to exfiltrate.

“Organisations need to realise no one is immune from a data breach,” said Wade Baker, principal author of the Data Breach Investigations Report series, in a statement.

“Compounding this issue is the fact that it is taking longer to identify compromises within an organisation – often weeks or months, while penetrating an organisation can take minutes or hours.” Baker went on to urge companies to adopt big data analytics to “curve and combat” cyber-crime. 

Speaking to SCMagazineUK.com before the results were announced, Dave Ostertag, global investigations manager at Verizon Investigative Response, said that detection has not improved, despite the fact that attack methods largely remain the same.

“Generally we continue to see the use of the same old things, like web app and SQL injection attacks. It's the same old tools, but what we continue to see is that the time from compromise to discovery is longer than what we want it to be,” said Ostertag, noting that this comes despite companies ‘paying millions' on logging tools and SIEM solutions.

“…We're still not good enough at discovery ourselves,” he added, before continuing that law enforcement agencies are increasingly breaking the bad news to the companies.

Brian Foster, CTO of Damballa – which helps companies detect and defend against data breaches – agrees.

“What I've found, more often than not, is that companies have been told that they've been breached by a third party. Most people aren't aware for months after the breach starts,” he said when speaking to SCMagazineUK.com.

Ostertag says that smart companies are collaborating with industry peers – even competitors – and are looking at ways they can get “actionable intelligence faster”. But he adds that IT teams must also keep on top of the incoming threats, and believes that this starts by knowing what ‘business as normal' looks like.

“Know your business. You need to understand what normal business operations are, what IPs you connect with, what ports you connect with, as well as geography, time, the average file size,” said the Verizon executive, adding that this can help eliminate the white noise and make the dataset much smaller, and thus easier to manage.

Companies ‘too focused' on prevention

Foster of Damballa also says that companies need to properly vet the third-parties they're working with, and spend less money – and time – concentrating on preventing data breaches.

As well as recent examples like the South Korean banking data breach and Target hack (where hackers gained access to the company's POS terminals after reportedly gaining access to a refrigeration contractor in Pittsburgh that connected to the retailer's systems to do electronic billing), Foster cites one example where a major retailer's photo kiosks – owned by an outside company – were infected with information-stealing malware.

He adds that working with third parties can raise questions on who's at risk, and who is responsible legally. And yet he says that most companies have their approach all wrong.

“Too many [businesses] are focused on prevention, but prevention is never going to be 100 percent,” he said.

“Organisations invest most of their IT budget in prevention, but need to start prioritising detection and response.”

Other interesting statistics from the report are as follows:

  • There were 63,437 security incidents in the last year
  • 75 percent of attacks in the hospitality industry come via POS systems
  • Two out of three breaches exploit weak or stolen passwords
  • Insider attacks are on the up: 85 percent of insider and privilege-abuse attacks used the corporate LAN, and 22 percent took advantage of physical access
  • China still leads as far as cyber espionage activity is concerned, although Eastern Europe now accounts for more than 20 percent.