Mandiant: Companies are getting worse at detecting data breaches

News by Tim Ring

Organisations are getting worse at spotting security breaches and attackers still spend two-thirds of a year on corporate networks before being indentified, according to a new Mandiant report.

In response, the firm is urging people to change their mindset from “I can secure everyone” to “I am going to be attacked, what can I do to detect and contain that problem quicker and less expensively”.

Beyond the Breach', the fifth annual M-Trends report on advanced targeted attacks, published on 10 April by FireEye which now owns Mandiant, says that in 2013 just one-third of organisations detected breaches on their own – down from 37 percent the year before.

On the upside, organisations are finding breaches in their networks faster (229 days versus 243 in 2102), but that still leaves attackers spending two-thirds of the year on the networks before being found.

Jason Steer, director of technology strategy for FireEye EMEA, says breach detection “is by far the biggest challenge”. He told “Detection is incredibly difficult and there isn't really any consistency because there aren't the products out in the market to do this I'm afraid. The gap between the attackers and defenders has never been wider.”

So Steer said: “Rather than ‘I can secure everyone' the mindset has to change to ‘I am going to be attacked, breaches are going to be an inevitable consequence of using the internet to do business, what can I do to detect and contain that problem and mitigate that risk quicker and less expensively?”

Information security researcher David Lacey, an expert on APT advanced attacks, was not surprised that the breach detection problem remains. He told via email: “Enterprises have always been poor at detecting attacks and frauds. At least the average dwell time of APT attacks is reducing. But we need to get it down to weeks from years.”

As well as security products, Steer was critical of some end users, saying: “The vast amount of customers we meet do not have an incident response plan.”

“Maybe we should educate our users a little bit more. End users are very often the weakest link in all security. A really strong message is you need a combination of the right people, the right products and the right processes to make that whole preparation, detection, validation and remediation process work smoothly.”

The report itself says: “To attack the security gap, organisations need smart people, visibility into their networks, endpoints and logs. Organisations also need actionable threat intelligence that identifies malicious activity faster.”

The M-Trends report also examines how companies are infiltrated – and finds phishing emails try to exploit trust in IT departments, with 44 percent of observed emails impersonating the IT department of the targeted organisation.

At the industry level, it said attacks in 2013 rose in two key industries: financial services (up from 11 percent of attacks to 15 percent) and media & entertainment – nearly doubling from seven percent of attacks to 13 percent.

At the international level, the report says the Chinese government and financial criminals are the most advanced and well-funded threat actors.

Mandiant last year famously exposed the APT1 cyber spy group as part of the Chinese People's Liberation Army – and this year's report tests the impact of that revelation. The report examines “whether revelations of China's state-sponsored cyber activity could spur a diplomatic solution to the problem of nation-state cyber espionage on behalf of private sector entities?”

Unfortunately, it says: “Within a short period of time we had our answer: no.” APT1 went quiet then “returned to consistent intrusion activity” around 160 days after its exposure.

This year's report also highlights Iran as a more active threat, saying that while it currently uses less advanced approaches than others, “it won't be hard for them to get more sophisticated. They also don't necessarily need advanced capabilities in order to have a big impact.”

Lacey commented: “It's not surprising to hear that Iran might be on the offensive, as they've been a major target themselves. And there's little difference in the skills required for attack or defence. Some authorities would even argue that attack is the best form of defence.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews