Much like an undiagnosed illness, cybercriminals are managing to stay undetected long after compromising corporate networks, a new study has found.
According to a report from the Ponemon Institute and sponsored by Arbor Networks, the average dwell time for retail companies – the duration for which attackers go undetected on a network – is roughly 197 days. The financial services industry fared slightly better, with an average time of 98 days.
The figures came from a survey of 844 IT and IT security professionals in the financial sector and 675 in the retail industry from North America as well as 14 countries in Africa, the Middle East and Europe.
“The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents,” said Dr. Larry Ponemon, chairman and founder at the Ponemon Institute, in a statement. “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”
Many organizations have focused their resources, processes and tools on correlating and prioritizing security alerts from perimeter and internal devices, noted Arabella Hallawell, vice president of corporate strategy at Arbor Networks. This approach, she explained, becomes non-scalable and takes a long time to detect and contain targeted attacks for four main reasons: the huge growth in the number of alerts, the high percentage of false positives, the ease of missing the signs of a targeted attack and the number of locations and assets not covered.
The business of defeating distributed denial-of-service attacks (DDoS) was not an easy one for respondents either. The survey found that just 39 percent of the retail companies surveyed said they either ‘strongly agree’ or ‘agree’ that they are effective in containing DDoS attacks. While half of the companies said they consider DDoS an advanced threat, only 13 percent said they were involved in threat intelligence sharing with the government or other businesses about DDoS attacks.
According to the survey, 71 percent of the respondents view technology that provides intelligence about networks and traffic as being the most promising for stopping or minimizing advanced threats during the phases of the cyber kill chain. Still, only 43 said they have established threat sharing with other companies or the government when it comes to combating advanced threats.
When asked what steps they have taken to minimize advanced threat attacks, the most common responses were installing controls to prevent infiltration (48 percent) and implementing incident response procedures (45 percent).
“Many organizations do not have dedicated IR [incident response] teams or plans,” said Hallawell. “Some don’t have security operations teams; some don’t even have dedicated security teams. The level of maturity to have trained people, process and tools for IR is quite high, and many verticals have not had the budget or perceived need to invest. Many will now divert resource to building out this new function.”
The report can be read here.