Attack detection has come along in leaps and bounds over the past few years and is improving still. Over the past few years, cyber-attack detection has seen enormous investment and progress across the world, making it is possible now to detect even the stealthiest and most innovative of attackers faster than ever before. And for many years, security experts have vocally advocated the need for enterprises to invest evenly across Prediction, Prevention, Detection and Response.
From a survey conducted by cyber security company F-Secure, prevention still takes the lead in investment, with 40% of enterprises naming it as their highest cost. Detection is gradually climbing up the priority list, coming in as the second highest for 34% of enterprises whilst Response is currently the lowest priority and spend for 44% of enterprises. Most data breaches are opportunistic attacks against smaller companies unprepared for a sophisticated cyber-attack. According to Gartner, by the end of 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, which is an increase from less than 30% in 2016. One major issue to consider is that there is still a large time gap between an attack being detected and the appropriate response actions being taken to contain and remediate it.
According to the Ponemon Institute, it takes an average of 69 days to respond to an attack once it has been detected. The actual detection itself takes on average 100 days from the initial compromise. The median cost to resolve a breach is upwards of R350 000 per day. This is not counting other associated costs, such as system downtime, recovering lost or compromised data, restoring business-critical functions, paying regulatory fines, and managing both public relations and the increase in customer queries and communications. The faster a data breach can be contained by an organisation, the lower the cost and impact to the organisation. There are a number of complex reasons for the response gap which were covered in a previous presentation on working with improved technologies and the people who know them best, which can be obtained by sending through a request for the related document. In summary, the response gap is usually due to an organisation’s structural set-up, including how much investment is given to response with the major reasons for gaps in response times due to attacks not being actioned appropriately, organisation not having the right technology to respond and cyber skills shortages.
Such responses gaps can be problematic financially and for other reasons and there are a number of reasons why the response gap is not sustainable against the current and evolving threat landscape. One of these is that evidence, and the learnings from it, fades over time. The longer it takes to respond, the greater the cost implications and the less an organisation can glean crucial information about the attack, including how the attackers got in, what they targeted, and if they were successful – all of which are crucial to minimize the wide-ranging potential impacts. Forensic and log evidence, especially, suffer with the passage of time, due in many cases to log retention policies not being in line with an organisation’s threat profile. The fluidity of many IT estates means technology gets updated, employees come and go and also companies get acquired by other companies. All of these contribute to evidence becoming obsolete or deleted.