Report: Average time to detect and contain a breach is 287 days

Enterprise

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Incident engineers at Blumira found that organizations’ time to detect and respond to threats directly affects their bottom line — the longer a breach takes to detect and contain, the higher the overall cost. According to a new report by Blumira and IBM, the average breach lifecycle takes 287 days, with organizations taking 212 days to initially detect a breach and 75 days to contain it. Blumira users decreased their time to detect to 32 minutes, 99.4% faster in comparison to IBM’s reported average of 212 days, or 5,088 hours. Users also decreased their average time to respond to 6 hours, 99.7% faster than the overall average of 75 days, or 1,800 hours, reported by IBM.

The report found that access attempts were a common theme, as the pandemic forced many organizations to move to cloud services to support their remote employees. For organizations without a solid understanding of their exposed attack surface, moving to a cloud environment only highlighted that knowledge gap. Threat actors take advantage of those knowledge gaps by exploiting, misusing or stealing user identities

Attempts to authenticate into a honeypot (a fake login page designed especially to lure attackers) was Blumira’s top finding of 2021. Identity-driven techniques accounted for three out of Blumira’s top five findings at 60%. Cloud environments are particularly vulnerable to identity-based attacks such as credential stuffing, phishing, password spraying and more. Rapid detection of these attacks can enable organizations to respond and contain an identity-based attack faster, helping stop an attack from progressing further. 

Research also observed usage of LotL techniques, which threat actors use to stealthily remain undetected in an environment. They do so by leveraging built-in Microsoft tools that make it appear as though they are legitimate users within an organization’s environment. LotL techniques involve using tools that already exist within a system to conduct attacks. Many of these tools are used by sysadmins for legitimate work, making it difficult for defenders to distinguish between malicious behavior and an admin simply doing their job.

Among Blumira’s top findings were various instances of LotL techniques, including: Service Execution with Lateral Movement Tools (#4), PsExec Use (#16), and potentially malicious PowerShell command (#18). Taking place over days or weeks, these types of attacks can go undetected by endpoint detection and response (EDR) solutions that rely on the detection of known malicious tools. By that time, it may be too late — for example, when an attacker introduces malware into the environment.

Blumira’s platform incorporates hundreds of different findings that detect suspicious behaviors that may indicate an attack in progress. This report is based on research from 33,911 key findings from a sample including 230 organizations, which took place over the course of 2021.

Read the full report by Blumira and IBM.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Author

Topics