Why Does It Take 207 Days To Discover A Breach?

What can I do about it?

With cybercrime on the rise, the question is no longer IF an organisation is going to be compromised… it’s WHEN.

If you think that you’re immune, just look at the size of organisations that have been hacked:

Organisation
When
Impact
LinkedIn
June 2021
700 million users
Facebook
April 2019
533 million users
Marriott
September 2018
500 million customers
Yahoo
August 2013
3 billion accounts
EasyJet
May 2020
9 million customers
British Airways
September 2018
500 thousand customers, nearly half included payment details.

But, when you look at the details, the problem isn’t only that organisations get hacked. The real problem is how long it takes an organisation to discover that a breach has occurred.

207 days

On average, it takes 207 days for a breach to be discovered! (And because this is the average, that means it takes considerably longer in some cases.) This is important because the longer a breach is active, the more damaging it is, and the more expensive it is to clean up.

It can take an average of another 73 days to contain the breach… and even after that, you’ll likely have further cleaning-up to do. (To read IBM’s “Cost of a Data Breach” report on these look here).

Find breaches faster to reduce damage

If you can detect threats sooner — before the end game — you’ll suffer less data loss, less financial loss, avoid ransomware activation, and preserve your organisation’s reputation.

Let’s start with why it takes so long to detect a breach in the first place.

Hacking an organisation is a lot like robbing a bank vault in many ways.

First you have to do your research; work out the layers of defense and where each one is vulnerable.

Next you need to get your kit bag with everything you need, then you need to wait for the right time.

The bank needs to be unoccupied for as long as possible to allow you to get in and out undetected, so you choose a bank holiday weekend. That gives you around two and a half days.

When it’s time, you break in, avoid tripping the alarms, find the safe, crack the lock, and boom, you’re in.

Let’s then compare this to a bad actor attacking your organisation. Ultimately it’s a similar sort of process. They do their research, find the weaknesses in the target, then exploit them to get a foothold, expand and reconnoitre, then steal data, deploy ransomware etc.

The key differentiation is time.

We had 2.5 days to rob a bank vault. However, the average time to find a breach in an organisation is 207 days.

Why is there this difference?

It all comes down to the visibility of the attack.

A bank vault is an obvious physical presence. It’s easy to get eyeballs on it, and to see when something doesn’t look right.

An organisation’s digital estate is many orders of magnitude more complex, and it is not static. It is made up of many moving parts, and many vaults – for example finance data, customer data, employee data, company intellectual property, etc. And these are typically managed by different teams with different skills, using different tools.

To solve this problem, we have to get the equivalent of watching the bank vault.

How can we spot attacks

Let’s take it back to first principles. In order for an attack to happen or propagate, it’s going to need to communicate with other machines.

Yes, there are attacks by USB or other physical medium, but these are relatively rare compared to network oriented attacks. These will still generate network traffic when they phone home or try to scan other machines.

So focusing on the network is a valid approach. There’ll be very few attacks that we won’t see!

The next benefit of focusing on the network is that it is something you control, and it is used for all communications by all your devices, so it gives you a complete picture to work from.

The downside of working with the network is that there are a huge number of events happening every second and we need to be able to filter out the normal everyday legitimate events, and focus on the unusual, the abnormal or events identified as threats.

Get a complete picture with NDR

Network detection and response tools do exactly this job. They see all activity on your network, and apply a mixture of artificial intelligence and rule-based filtering to show you only the events you need to investigate.

This gives a single view of all the evidence of active threats, captured from your network, alerting you in real time to unusual, nefarious and suspicious activity.

And having that insight can dramatically shorten the average 207-day timing to detect a breach.

Ah, but we have tool X...

Some organisations feel that because they have other cyber security tooling — for example endpoint protection, next-generation firewalls, etc — that they already have this view of data.

They definitely have a view of some of the data… but not all of it.

Firewalls see threats on traffic flowing through them, but they cannot see the threats that either don’t pass through the firewall, or aren’t identified by the firewall. It’s unusual for a firewall to be configured to log every event to a SIEM, as this will create a lot of noise and alert fatigue.

And Endpoint Protection will only see threats that hit that endpoint. There are devices on which an organisation cannot install endpoint protection, such as printers, containers, vendor black boxes, cloud services, and high performance devices, e.g. databases. Then there are networks on which your organisation cannot control all devices used, for example public wifi or networks with a BYOD policy.

This leaves a massive gap, which you can fill by using an NDR tool. 

Here’s the killer part of the 207-day statistic: it’s from larger organisations, and they will have reasonable cyber security tooling coverage. So in all probability, the 207 days includes organisations that already have next-gen firewalls and endpoint protection… and those tools didn’t give them enough insight to detect a breach sooner!

Finishing up

NDR is not a magic bullet. Like any tool, it requires skill and time investment to use to its greatest advantage.

It won’t stop every attack, but it helps you see attack footprints much earlier, which in turn allows earlier mitigation before the attacker gets to their end goal.

Want to try NDR for your organisation’s cyber security? Talk to us to set up a 6-week proof of value demonstration on your own network so that you can see the value in action.

Learn about our NDR services.

Leave a Reply

Your email address will not be published. Required fields are marked *