Surveying 691 incident response investigations from its customers, Trustwave's 2014 study investigated everything from the data, systems and verticals being targeted by hackers to intrusion methods and application vulnerabilities.
Researchers found that data breach investigations had increased 54 percent year-on-year over 2012 and put this down to there being more cyber-criminals and growing visibility in the press.
At a roundtable in London on Tuesday, Trustwave ran through numerous figures and many of these made for familiar reading; POS breaches accounted for a third of investigations, ecommerce made up 54 percent of targeted assets and retail was the top compromised sector, followed by financial services.
These attacks were carried out mainly using existing tools and common vulnerabilities – 85 percent of exploits were down to third-party plugins while weak passwords accounted for 31 percent of compromises.
The reasons for attack are changing in some quarters, though, with Trustwave's report indicating that 45 percent of data thefts involved non-payment card data.
Keeping the attackers out seems to be a ‘if, not when' you get breached strategy but worryingly for companies, even their ability to detect and respond is being severely hampered. Speaking at the event in London, Trustwave director John Yeo said that 20 percent of intrusions were “unknown” owing to “insufficient evidence”, something he attributed to poor logging and attacker versatility.
“This really talks of the business inability to get the detective and monitoring controls right – they didn't get the necessary evidence,” said Yeo. “[They're] not even capturing basic logging, or getting the fundamentals right,” he added.
Asked by SCMagazineUK.com if this was the fault of poor tech implementation or a lack of training, Yeo admitted that it could be both but said that companies are starting to deploy SIEM solutions.
Dr Adrian Davis, managing director at (ISC) ² EMEA, said that companies need to identify what's normal in their analytics.
“It's about identifying what's normal and then keep going,” said Davis, a former analyst at the Information Security Forum. “Too often, they suffer a data breach, and organisations kind of stop. Everyone's running around like a headless chicken,” he added before urging the need for an incident response plan.
He went on to detail the need for proper log management.
“Logs are not necessary to be kept beyond three to six months,” said Davis. “So if the logging is only 30 days by the time they are called in, the logs are overridden.
“It's a practical thing,” said Dr Geraint Price, lecturer in information security at the Royal Holloway University. “I wouldn't want to keep logs for six months.”
Matt Palmer, chair of the Channel Islands Information Security Forum (CIISF), said that it's also an issue of keeping the right logged information and whether the organisation is making use of that.
Detection can go on for months
Proper log management has its advantages and this is borne out in Trustwave's finding that those that self-detect breaches react much faster to remediation than those that rely on third parties.
The firm's data revealed that the median time from intrusion to detection was 87 days, and another seven days to containment.
When data breaches are self-detected, however, Trustwave says that companies go from intrusion to detection in 31.5 days (compared to 108 days by third-party) and detection to containment in just a day (14 days).
These companies are clearly in the minority though, as Trustwave indicates that 71 percent of victims did not detect themselves and instead relied on a third party.
“Organisations able to self-detect have much better time frames with containment, and shorter windows from intrusion to detection,” said Yeo.
Outsourcing carries own risks
Panellists also discussed the risks of outsourcing, a topical issue given the Target breach, and the report neither confirmed nor denied that third-parties can be riskier than the company's own IT teams.
Trustwave states that 46 percent of data breaches were down to ‘outside' companies, with this figure at 54 percent for in-house IT. Yeo said that this would likely be higher for those companies making “very poor” outsourcing decisions, but Price said that outsourcing was no guarantee of success.
“Outsourcing clearlyprovides no guarantee of getting better results,” he said.
In terms of responding to data breaches, the panel said that companies should be focusing on detective work, such as sniffing around suspicious outbound data, suspicious files, geographic anomalies, changes to window registry and account activity.
Davis said that incident response plans should not accumulate dust under the carpet but rather be tested on a regular basis.
“Incident response plans are one of those dusty documents that doesn't really get looked at until the middle of a compromise. It's important to test those plans and procedures."