Breach Detection Time Is Dropping, FireEye Finds

FireEye's Mandiant M-Trends report reveals that most breaches are not found by enterprises on their own.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

breach detection

FireEye's Mandiant division came out on Feb. 24 with its M-Trends 2015 report, revealing the current state of breach discovery on the IT landscape.

Among the top-level findings in the report was that the median number of days before a breach was discovered in 2014 was down from previous years. In 2014, that number was 205 days, down from 229 days in 2013 and 243 days in 2012. How enterprises actually find out about breaches was another key finding. In 2014, only 31 percent of breaches were self-detected by enterprises, down from 33 percent in 2013.

There are a number of reasons why more data breaches are discovered and reported by third parties than by enterprises working on their own.

"Over the last several years, organizations like the Federal Bureau of Investigation [FBI] have gotten increasingly involved in notifying U.S businesses that they have been identified as being compromised," Ryan Kazanciyan, technical director at Mandiant, told eWEEK. "The result of the FBI's efforts has led to increasing numbers of victim notifications."

Similarly, Kazanciyan noted that many of the breaches detected in retail are first detected by the card brands such as MasterCard and Visa. The card brands have done a good job of detecting fraudulent activities at the business-process level, he added.

The M-Trends report also identifies a particularly worrisome phishing trend. According to the report, 78 percent of all phishing schemes that FireEye saw in 2014 involved attackers who were posing as an IT department.

"It's really hard to expect much more from users, since many go through phishing awareness training and they do the best they can," Kazanciyan said. "We have to get to the point where we allow the user to screw up but it's still OK because the incident can be contained."

Kazanciyan emphasized that awareness training can't solve all phishing-related risks. An elaborate and well-crafted phishing message might still succeed, even in an organization where employees have had phishing awareness training, he noted.

"You have to rely on the controls that operate in spite of user error," Kazanciyan said. "You have to let people do their jobs and can't expect that people won't fall victim to sophisticated phishing techniques."

HP published a report this week that identified lack of patching as a key path to enterprise exploitation. HP found that 44 percent of breaches could be attributed to already patched vulnerabilities. However, while patching is important, it's only one part of the full picture on breach detection and avoidance, Kazanciyan believes.

"Patching is often impactful for the initial entry vector, the initial foothold in the environment," he said. "So maybe a user had an old version of Adobe Reader that had not yet been patched, for example."

Patching, however, doesn't address zero-day risks, when an attacker uses some form of unknown exploit to get in. In Kazanciyan's view, what's even more important than patching is the defensive posture of an IT environment, in terms of how it is aligned for a defense in depth strategy.

"The basic principle is that any endpoint in your environment can be compromised, so how do you contain the incident so that it doesn't propagate?" he said.

The challenge, according to Kazanciyan, is that since network architecture and controls have not changed to keep pace with modern threats, most companies are only a single endpoint exploit away from an attacker being able to achieve an enterprisewide data breach.

"So many companies still permit an open internal model, where any connection to any other internal system is accepted," he said.

As such, an attacker doesn't have to directly target a specific individual in an organization to get information. Instead, the attacker can attack anyone in a given company and then get credentials and laterally access whatever information the attacker wants.

Kazanciyan explained that access controls on the network side as well as on the operating system layer can lock down an environment. The challenge for IT is that an open network is functionally easier to set up and operate than one that is locked down with controls.

While there is a challenge in deploying a more controlled network environment, with proper configuration "choke points" can be set up to enable more effective network monitoring, Kazanciyan said. Those choke points could include areas of the network that regular users should not be permitted to access.

"So instead of having to keep track of all the noise in an overly permissive environment, you're focusing your monitoring on a few select points," Kazanciyan said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.