In its 2016 Data Breach Investigations Report, Verizon used a dataset of 64,199 security incidents and 2,260 data breaches to highlight new patterns steady trends, and interesting tidbits in the digital threat landscape.
Among other observations, Verizon’s researchers found that the number of incidents that take “days or less” to discover accounts for less than a quarter of the report’s dataset.
That means more than 75 percent of Verizon’s data sample, or around 48,149 security incidents and 1,695 data breaches, went undetected for weeks, months, or even years.
Verizon paints a grim picture of the data breach detection gap. But not everyone agrees with the DBIR’s assessment. On the contrary, a majority of information security professionals are confident – perhaps too much so – in their ability to quickly detect and respond to a breach.
Overconfidence among IT professionals is one of the key takeaways from the Tripwire 2016 Data Breach Detection Survey.
Conducted by Dimensional Research, the survey asked 763 IT professionals from retail, energy, financial services and federal government organizations in the U.S. about their confidence in implementing seven key security controls: PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS Top 20 and IRS 1075. Those controls align with the United States Computer Emergency Readiness Team (US-CERT) recommendations and international guidance, and they deliver specific, actionable information that helps organizations defend against targeted attacks.
Most respondents for Tripwire’s study were confident in their ability to detect a breach despite not knowing crucial details about how some of their security tools work.
For example, while 71 percent of IT professionals believed they could detect a configuration change to an endpoint on their organizations’ networks in minutes or hours, 67 percent of respondents admitted they didn’t know for sure how long it would take automated tools to detect such a change.
The rate of overconfidence didn’t get any better when Tripwire asked IT professionals based upon their sector.
Take those in finance. 87 percent of security personnel in finance said they could remove an unauthorized device from the corporate network within minutes or hours. But when asked about their ability to detect new assets, three-quarters said they could automatically discover at most 80 percent of hardware assets, and 37 percent said their automated tools could reliably discover critical details about unauthorized configuration changes to network devices.
Meanwhile, in Tripwire’s 2016 Retail Security Survey, 95 percent of security professionals in the retail industry said their organization could detect a breach within a month or less, but nearly half (48 percent) of respondents said their breach detection products were just partially integrated.
Tripwire has now released its survey’s findings that specifically relate to the federal government sector.
Unfortunately, those results aren’t any more promising than retail or finance.
Out of 763 IT professionals, including 134 participants from federal government organizations, more than three-quarters (78 percent) of respondents said they could detect new network devices within hours, but more than half (52 percent) said they were unsure of how long the detection process would actually take.
Approximately the same number of IT pros (58 percent) said their automated tools didn’t pick up pieces of information that are necessary to detect unauthorized configuration changes to endpoint devices.
For Tim Erlin, director of IT security and risk strategy at Tripwire, that last finding is especially troubling:
“Unauthorized change is at the root of attack surface growth. When respondents declare that they can detect new devices, but don’t know how long it takes and can’t obtain enough data to identify them accurately, they’re highlighting a significant gap where attackers can live inside their organizations.”
Additional findings highlight the growth in privileged access misuse events in the federal government sector:
- 30 percent of respondents said they were unable to detect every non-privileged user’s attempts to access files.
- A majority (73 percent) of IT professionals said their system would generate an alert about an employee inappropriately accessing file shares within hours after the incident. In reality, however, 70 percent of such incidents usually take weeks, months, or even years to detect.
- Close to half (46 percent) of all breaches in the public sector consisted of privileged access misuse and non-malicious events.
Travis Smith, senior security research engineer for Tripwire, has advice for companies looking to address the threats accompany employee access to sensitive information:
“Authorization creep is something many organizations fail to address. As employees change roles or are promoted, their roles and responsibilities change; as does their access to confidential information. Protecting confidential information is more than reviewing access denied attempts; employees may be abusing authorized access as well. Following these recommended controls and continuous monitoring over critical and/or confidential information is vital to reduce the likelihood or impact of insider threat.”
For more information on Tripwire’s findings regarding the federal government sector’s confidence in breach detection, please click here.