Security Experts:

Hacked in 276 Seconds - Timely Intelligence Improves Ability to Thwart Cyber Attacks: Survey

Actionable Security Intelligence

Timely Security Intelligence and Quality Reporting can Improve an Organization’s Ability to Stop Cyber Attacks

Just 4.6 minutes of advance warning can mean the difference between a successful compromise or breach and a thwarted cyber-attack, according to a new Ponemon Institute study.

Organizations who were able to successfully block cyber-attacks said they needed actionable intelligence 4.6 minutes in advance to prevent the attempt to become a compromise or breach, according to a Ponemon Institute report on how organizations view threat intelligence released Wednesday. Slow, outdated, and insufficient threat intelligence is costing organizations a lot of money because the administrators don't have the information necessary to prevent compromises, breaches, and exploits, the report found.

Organizations in the study spent an average of $10 million in the past 12 months to resolve the impact of exploits, the study found. Interestingly, if the organization had access to actionable intelligence about the attack within 60 seconds of it occurring, their cost of mitigation dropped, on average, by 40 percent. That translates to approximately $4 million in savings.

While startling, these numbers are not surprising, Sam Glines, CEO of Norse, said in a statement accompanying the study.

Enterprises "need an advanced level of threat intelligence that shrinks the interval between attack identification and mitigation down to minutes or even seconds if they are to survive the modern-day cyberthreat juggernaut," Glines said.

Current "real-time" threat intelligence is not fast enough, as it delivers the responses on a slight delay, he said. Enterprises think they have access to only after-the-fact intelligence, but that insight is coming too late to be effective. Nearly 23 percent of the respondents said it can take as long as a day to identify a compromise, and 49 percent said it can take within a week to more than a month.

Nearly 60 percent of the respondents said they were unable to stop exploits because they either had outdated, or not enough, threat intelligence. A similar number, 57 percent, of the respondents said threat intelligence currently available to companies are generally too stale. The available intelligence didn't provide defenders with the necessary information for to grasp and understand the motivations, tactics, and locations, of the attackers.

Organizations who were unable to detect attacks as they were occurring said 12 minutes of advance warning is sufficient to stop them from becoming compromised. These organizations "are not as aware of the need for timely intelligence," the report said.

Enterprises are using a wide range of technologies to gather threat intelligence, ranging from SIEM to IDS to IAM and firewalls, but have mixed feelings about the efficacy of these tools, the report found. Only 22 percent of respondents rated the security products they had between a seven and a ten, with ten being the most effective. All the rest rated the effectiveness between a one and a six, the report found.

On average, companies spend about $95 million on IT and 14 percent of this is allocated to IT security, the survey found. From there, the average budget for systems and processes that produce intelligence about cyber-threats is 20 percent of the IT security budget, or approximately $3 million, the report (PDF) found.

About 35 percent of survey participants, ranging from technicians on the staff level to executive vice-presidents, said they rely on the IT security team's "gut feel" to determine whether or not an attack will occur. Only 23 percent say their organizations relied upon precise intelligence.

The combination of timely intelligence and quality reporting can improve an organization’s ability to stop attacks, the report said. Organizations need intelligence reports that are clear, concise and unambiguous so that quick actions can be taken, and the information needs to be delivered to the relevant parties according to a pre-determined list of priorities.

Intelligence data needs to be integrated with SIEM and other network monitoring tools, and include trend data such as the velocity or the frequency of attacks. The use of big data could strengthen an organization's cyber-security posture. A little over half of the respondents said Advanced Persistent Threats (APTs) were their greatest concern, and a similar number were most concerned about root kits. About 45 percent of the survey participants said SQL and code injection was their biggest worry.

A little over a third of the participants said that criminal syndicates posed the biggest threats to their organizations, compared to 19 percent who viewed state-sponsored attackers as the greatest threat.

The survey included 708 IT and IT security professionals from 378 enterprises across 14 industry segments, including financial services, health and pharmaceuticals, and the public sector. Only 10 percent of the respondents knew with absolute certainty that a material exploit or breach to their networks and systems had occurred, the report found.

"The benefits of having actionable intelligence include a stronger security posture and greater awareness about when a network or system has been compromised," the study concluded.

The full report is available here in PDF format.

Related Reading: Predictive Intelligence - Key in Today's Security Environments

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.