In theory at least, cybersecurity teams are supposed to be able to adhere to a 1-10-60 rule. Cybersecurity teams should be able to detect an intrusion one minute, be able to identify the nature of that threat in 10 minutes and contain the breach in less than 60 minutes. Perhaps not surprisingly, a global survey of 1,900 senior IT decision-makers and IT security professionals conducted by the research firm Vanson Bourne on behalf of CrowdStrike, a provider of an endpoint detection and response (EDR) platform, finds most cybersecurity teams are nowhere close to achieving that goal.
The report finds only 11% of survey respondents said their organizations can detect an intruder in under one minute, only 9% said they can investigate an incident in 10 minutes, and only 33% can contain an incident in 60 minutes. A full 95% of respondents fall short of meeting all three of these goals.
When it comes to cybersecurity breaches, time is obviously of the essence. However, in the age of ransomware it’s become an acute issue. The survey finds 40% of organizations admit to having payed ransoms to retrieve encrypted data encrypted in a software supply chain attack also more than doubled from 14% to 40%, with over 50% of the organizations operating in the food and beverage, hospitality, and entertainment and media industries having paid ransoms in the last 12 months.
The survey also points out that while cybersecurity teams would like to get faster at identifying and containing breaches, Intruder detection is the primary IT security focus for only 19% of respondents. On average, the survey finds on average it takes 31 hours to contain a cybersecurity incident once it has been detected and investigated. A total of 80% of respondents concede they have been unable to prevent intruders on their networks from accessing their targeted data in the past 12 months, with 44% pointing to slow detection as the cause.
Of course, the most preferred outcome is obviously for the breach to have never occurred in the first place. That’s why investments in firewalls, encryption platforms and other types of technologies designed to prevent data from being stolen continue to increase. However, given the fact that human beings will always make cybersecurity mistakes, it’s clear more time and effort will need to be devoted to cleaning up the mess that inevitably ensues whenever there is a cybersecurity breach. Cybersecurity teams are always going to have a bias toward prevention. However, many of them are now finding themselves being measured on how long it takes them to identify and contain a breach.
The challenge cybersecurity teams with limited resources are struggling with is how best to reduce the amount of time to contain a breach without impacting investments in threat prevention. Most organizations are increasing the amount of money being allocated to cybersecurity. However, cybersecurity budgets are far from unlimited. Cybersecurity teams are trying to strike a balance between the need to detect and remediate breaches and preventing those breaches from occurring in the first place. The primary mission clearly needs to remain threat prevention. However, like or not, breach containment his now clearly the second most important thing any cybersecurity team can do to protect their organization.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.