An analysis of breach response times shows that the average time to detect a breach is a massive 60 days, with some enterprises taking even longer - one example took more that 3.5 years.
The research, based on a Freedom of Information (FOI) request to the UK’s data protection watchdog, the Information commissioner's office (ICO), also found that enterprises tended to drag their feet in reporting breaches too, with an average time post detection being 21 days, while one organisation took as long as 142 days.
This means that less than a quarter (45 out of 182) of businesses would have met the requirements of the General Data Protection Regulation (GDPR), which came into force the month after the report data. The FOI and analysis was conducted by Redscan, and related to information on 182 data breach reports triaged by the ICO in the financial year ending April 2018. GDPR came into effect late May 2018 and specifies that businesses have appropriate measures in place to detect personal data breaches and report them within 72 hours, with the clock starting the moment an organisation detects a breach.
Luke Jennings, chief research officer of Countercept at MWR InfoSecurity, told SC Media UK: "Enterprises need to be effective at detecting malicious activity in the earlier phases of the cyber kill chain and not simply discovering a breach due to an external notification or when the damage is already done.
"Obviously, there are key security technologies that can help with this but the most important point is to have a skilled team of threat hunters whose sole focus is on identifying attackers on the network and removing them. If an enterprise relies on technology to do all the work, or leaves hunting as a tertiary responsibility for an overstretched team without the correct skill set then breaches will go unnoticed."
The FOI analysis also revealed that more than nine out of 10 companies (93 percent) did not, when reporting a breach to the ICO, specify the impact of the breach or did not know the impact at the time it was reported.
Jennings pointed out that continuous evaluation is vital: "Maintaining visibility of data requires continually evaluating how changes to technologies in use by the business impact detection and response capabilities. For example, if some key data and services move to the cloud then EDR solutions may not cover certain use cases anymore and a new plan will be needed. On the other hand, if new systems are deployed without notification then hunt teams need to be able to identify when that happens through visibility of interactions with existing systems and ensure that the correct monitoring is then applied to them in order to maintain capabilities."
Interestingly, timing plays a vital role in data breach discovery and notification, with Saturday being the most common day for businesses to fall victim to a data breach - presumably in the hope that enterprises do not notice until the Monday - while nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181).
Matt Walmsley, EMEA director at Vectra told SC Media UK: "Detection and response capabilities are a major security gap that’s important and urgent for many organisations to still address as the ability to know if one is compromised is fundamental to effective risk management. It still takes way too long before an active attacker is discovered inside an organisation, and whilst the latest reports show that attacker dwell times are slowly trending down, that doesn’t tell the whole story, nor should we be complacent."
"To mitigate damage, attacks must be detected in real time before key assets are stolen or damaged. Traditionally, detecting and responding to targeted attacks is a very time-consuming process and requires security teams to manually sort through mountains of alerts. It’s here that AI is increasingly powering automated capabilities to detect and prioritise threats at speed and scale that humans alone simply cannot achieve. In this way, man and machine work together to get ahead of attackers, and ultimately reduce their organisation’s risk."