How to Improve Breach Detection Time | The world went largely remote in 2020 due to the pandemic, and as a result, data breaches went up. These breaches increased in number as well as cost and impact. According to IBM, the average data breach now costs $4.24 million.
In the same study from IBM, the research team found it takes an average of 212 days to detect a data breach. From there, it takes an average of another 75 days to contain it. In the long window of time it takes to detect a breach, the attackers are busy learning, watching, and waiting.
The term has an official name—breach detection gap.
So why is there such a long gap, and what can you do?
The Reasons for Breach Detection Gaps
The breach detection gap is the result of the stealthy actions of hackers but also failed detection on the part of a company. Hackers can wait until they’ve fully compromised a network, or they might simply work in the background and not be detected at all.
When a hacker waits before taking action, they’re gathering intelligence. They’re learning more about your security, network pathways, and data. Then, once the hacker does strike, they’re fully prepared to take full advantage.
In a second scenario, hackers are acting in the background for long periods of time. These situations are usually due to problems in your security, monitoring, and detection systems and protocols.
Remote work led to an increasingly distributed infrastructure that worsened breach detection gaps in many cases.
Complications making it harder to detect a potential breach include:
- Networks are increasingly complex. IT teams may not necessarily be familiar with the complexity of the infrastructure.
- Security needs to be layered and robust, and usually, this means implementing a Zero Trust architecture. Not all organizations are up-to-date on the need for Zero-Trust yet.
- Another complicating factor is that as we all went remote whenever possible, IT teams weren’t ready and didn’t have the resources they need to deal with new challenges.
- In distributed environments, security is siloed, and there isn’t a holistic view.
How Can You Improve Detection?
The detection gap is a big issue, but there are things you can do.
As touched on above, a Zero Trust security model is one of the best, and it needs to be a key priority going into the new year.
Zero Trust is a modern response to perimeter-based security, which is no longer relevant or effective.
Zero Trust is built on the idea of verification before authorization. Basically, the model is developed on a strategy of trusting nothing and verifying everything.
Zero Trust requires verification of users with multiple approaches like multi-factor authentication (MFA) instead of simply using username and passwords to be granted resource access. This is the case for all attempted logins and not just initial network access. The benefit here is the prevention of lateral movement if there is a breach.
Identity-based policies are among the most important things you can utilize right now, to reduce the time to detect a breach and make sure all users have access to only what they absolutely need to fulfill their job role.
When you have a general preparedness plan in place, it also shows you can detect breaches faster, respond more appropriately and recover more quickly as well. This can sometimes be described as having a high-security posture. Part of a high-security posture includes:
- An adequate budget and staffing for security technologies
- Strategic investments in technologies that enable security, like encryption
- Employee training and awareness programs to reduce negligence and error
- Ongoing assessments and audits to identify vulnerabilities
- Assessment and management of third-party risk
Having an incident response plan can help you on a holistic level.
You also need to consider the potential of insider threats, which, as you can imagine, can go undetected even longer than threats from the outside. For example, internal attacks include modifying or stealing corporate information, theft of trade secrets, and network or database sabotage.
You’ll need monitoring and reporting tools that give you insights on a granular level and provide automated flagging as required.
A unified directory may be part of your strategy to accommodate remote work too.
Right now is the time to assess how long it could potentially take to detect a breach if it were to occur and take the necessary steps to improve your detection. It should be a strategic priority for the new year as part of a potential move to a Zero-Trust Security model.