Some 50% of security specialists took two days or longer to detect and remediate breaches, while another 7% knew neither the dwell time nor how to solve the issues, according to a survey by SANS Institute.
The length of time from an attacker’s initial entry into a network to the detection correlates most closely to the total cost of a breach. The longer an attacker has free access on a network, the more substantial the data loss, severity of customer data theft and subsequent regulatory penalties. In 2014, the average consolidated total cost of a data breach rose 23% from 2013 to $3.8 million, according to HOTforSecurity.
Some 37% of the respondents cited an average dwell time as less than 24 hours, while 36% of organizations took 24 hours or less to remediate real breaches. The figures show a modest improvement over the previous survey, in which 30% remediated breaches in 24 hours or less, while 17% took one to two days to remediate, 51% took more than two days to remediate and 6% took three months or longer.
Nearly four in 10 respondents say their teams can’t distinguish malicious events from non-events, and 45% cited lack of visibility into events across a variety of systems and domains as key impediments to effective incident response (IR).
“These answers suggest the need for more precise conditions for security information and event management (SIEM) alerts, as well as the need for more specialized IR skills,” authors of the study found. “Skills, while in demand, are also hard to come by, with 66% of survey takers citing a skills shortage as being an impediment to effective IR.”
More than half of the security specialists surveyed (54%) cited budgetary shortages for tools and technology, 45% lack visibility into system or domain events, 41% lack procedural reviews and practice, and 37% have trouble distinguishing malicious events from non-events.
The study was conducted on 507 respondents – more than half being security analysts, CSOs and CIOs – from 14 regions and countries, with many from global organizations.