The Verizon Business survey that was published yesterday offers many insights. It think that this is an important (and certainly not surprising)
In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study.There are two eye opening charts in this reports, that highlight the importance of active security systems and the need to close (security) gaps as fast as possible. The first compares between the time it takes to penetrate a system and the time that it takes to discover and mitigate .
(click on image see a larger size)
In comparison to the other categories, the length of time between the attacker's initial entry into the corporate network and the compromise of information is relatively short. During this phase, intruders typically explore the network and systems until finding their desired plunder. To an attacker unfamiliar with the territory, this can be a time-intensive activity. Surprisingly, our findings reveal this was accomplished within minutes or hours in just under half of cases investigated.So it takes a VERY short time to penetrate the application or breach the data, while it takes a lot of time to discover. The next chart shows how organizations discovered the breach. As you can see, most organizations surveyed by Verizon did not use monitoring tools
(click on image see a larger size)
I see a clear connection between the first and second data point. Should organizations use activity monitoring solution, they will be able to detect breaches faster...this is logical and make sense. But I would like to make the case for preferring security and attack blocking over pure activity monitoring.
I see a clear connection between the first and second data point. Should organizations use activity monitoring solution, they will be able to detect breaches faster...this is logical and make sense. But I would like to make the case for preferring security and attack blocking over pure activity monitoring.
This survey should be used as a wake up call to many organizations that should look into their monitoring and real time security systems. As the bad guys (internal or external) are attacking within minutes or hours, security professional can not longer assume that they'll be able to protect and defense without the use of real time security solutions capable to protect the entire application stack.
So it takes a VERY short time to penetrate the application or breach the data, while it takes a lot of time to discover.
That is not our interpretation. On the contrary more than half of the cases involved days, weeks, months or years from when the intrusion succeeded until data important to the victim was compromised. Patch-a-holics like to believe patches must be applied ASAP, but our observations indicated 90% would have been prevented by semi-annual patching.
http://securityblog.verizonbusiness.com/2008/06/13/patching-conundrum/