New analysis from the Aberdeen Group, based on data provided by Verizon, provides fresh evidence quantifying the cost of time in two different incident types: data compromises and sustained disruption in service availability. These findings underscore the urgency for cybersecurity practitioners to minimize detection and containment time.
According to the McAfee commissioned report by Aberdeen, Cybersecurity: For Defenders, It’s About Time, the business impact from a data breach is the greatest at the beginning of the exploit, when records are first compromised. That’s logical, since attackers want to get in and out with the goods (your data) in as little time as possible. Most responders are closing the barn door well after the horse has gone, when most of the damage has already been done.
However, in contrast, the business impact from a sustained disruption in availability continues to grow from the time of compromise to the time of remediation. As illustrated below, a 2X improvement in your time to detect and respond to an attack translates to a roughly 70 percent lower business impact.
Aberdeen Group concludes that time to detection remains a top challenge for defenders responding to cyberattacks, putting enterprises at risk. The report discusses that in more than 1,300 data breaches, investigated between 2014 and 2016, half of detections took up to 38 days, with a mean average of 210 days, an average skewed by some incidents taking as long as four years.
This data shows that cybersecurity practitioners can improve their ability to protect business value if they can implement strategies that prioritize faster detection, investigation, and response to incidents.
In the study, Aberdeen Group provides four illustrative examples of how recapturing an advantage of time can help defenders to reduce their risk, with suggestions on countermeasures and counterstrategies. Some highlights include use of the latest identification and containment technologies:
- Before zero-day: identification (e.g., through reputation, heuristics, and machine learning). Attackers have become increasingly adept at morphing the footprint of their malicious code, to evade traditional signature-based defenses. But advanced pre-execution analysis of code features, combined with real-time analysis of code behaviors, are now being used to identify previously unknown malware without the use of signatures, before it has the opportunity to execute.
- After identification: containment (e.g., through dynamic application protection, and aggregated intelligence into active threat campaigns). Advanced endpoint defense capabilities now allow potentially malicious code to load into memory — but block it from making system changes, spreading to other systems, or other typically malicious behaviors. This approach provides immediate protection, and buys additional time for intelligence —gathering and analysis — without disrupting user productivity.
For data center and cloud security, some of the above endpoint tactics can be applied to server and virtual workloads to protect against both known and unknown exploits. Aberdeen Group also suggests you can improve your results through shielding and virtual patching tactics. This concept has been around for years, but is especially helpful when assets are centralized.
- Virtual patching: Sometimes known as external patching or vulnerability shielding — establishes a policy that is external to the resources being protected, to identify and intercept exploits of vulnerabilities before they reach their intended target. In this way, direct modifications to the resource being protected are not required, and updates can be automated and ongoing.
- Strategic enforcement points: Design using fewer policy enforcement points (i.e., at selected points in the enterprise network, as opposed to taking the time to apply vendor patches on every system)
As an industry, we are spending more and working harder to shorten the time advantage of the attacker. Modern tools and thoughtful practices in endpoint and data center infrastructure complement the analytics and automation investments that are transforming the Security Operations Center (SOC), technologies such as anomaly detection and threat intelligence correlation.
This report shows that we still have work to do, and provides evidence for CIOs and the board that there’s a clear business incentive to continue to act.
To read the full report, visit https://mcafee.ly/2r0VNBq.