A recent article on Dark Reading website discussing the amount of time it takes to discover, contain, and report breaches caught our attention. It cited four reports, two indicating a different amount of time from compromise to discovery for data breaches, one discussing how organizations are shortening that time, and another estimating the time between discovery and reporting the incident.
What we found most interesting was the time to discovery and how the security world is successfully reducing that window of time. The first report stated the time between intrusion and detection fell from 26 days in 2017 to 14 days in 2018. Time to discovery was much higher in the second report at 101 days in 2017 and falling to 78 days in 2018. Regardless of the disparity between these two estimates, the good news is that these times are shrinking and some of the improvement (25%) is attributed to automated detection. The bad news is that the time from system compromise to the time when the target, or asset, is breached is just minutes. Operating undetected for 14 to 78 days after compromising a system gives cybercriminals an enormous amount of time to do serious damage. All leading to a pain point for security professionals that could mean many sleepless nights.
In fact, a report by the Aberdeen Group revealed some data that suggests while organizations are slow to detect phishing attacks, users are quick to fall prey.
- The likelihood of the first user click on malicious emails occurring within 30 seconds was about 8%
- The likelihood of the first user click on malicious emails occurring within 60 seconds was about 30%
- The median time-to-first click on malicious emails was just 134 seconds
Most traditional cybersecurity systems today are just too slow when it comes to detecting threats. Many lack any kind of real-time detection of zero-hour phishing sites. If they do happen to have blocking or URL filtration, it’s based on blacklists which are several hours to several days old, meaning they’re not blocking today’s new, active and live threats, but rather yesterday’s old, inactive, and retired threats.
Aberdeen’s research shows that by the end of the first 60 minutes of a threat, automated browser-based protections range from 77.3% to 89.5% effective and increase over time to between 94.3% and 96.7%. The empirical likelihood of a first click within 60 minutes is more than 90%. Bottom line… the need for speed here is crucial. And, if most of today’s technology is not sufficient or fast enough, then manual remediation is certainly ineffective.
The Dark Reading article cited a Ponemon Institute report that security automation is the most likely way to combat this detection deficit and Aberdeen agrees. They believe a combination of pre-delivery detection and protection and postdelivery protection and response, leveraging the expertise and focus of specialized solution providers, is by far the fastest and most effective approach in the accelerating race against time.
We’ve been beating the drum for speed and automation in phishing detection for quite a while and feel the data cited validates our thoughts. Our belief has always been that if security teams could be instantly notified when an employee visits a malicious website, they could block more phishing attacks. Real-time detection combined with automated real-time response could greatly reduce the risk of being breached in the first place.
The good news here is that any organization can take the first step to reduce their exposure to fast moving phishing sites by using our Real-Time Phishing Threat Intelligence. It identifies live zero-hour threats in real-time and allows organizations to respond in real-time with automated blocking through their firewall.
A diligent second step would be to use SlashNext Targeted Phishing Defense solution to protect against targeted patient zero attacks. Its automated and uses real-time detection to identify data exfiltration, C2 communications and targeted phishing threats that slower technologies seem to miss. These types of threats could be signs of early infiltration and a breach that might otherwise go undetected. The Targeted Phishing Defense console reports on exactly which machine(s) are infected or impacted and recommends remediation steps. Allowing organizations to identify tell-tale signs of C2 and early stages of a breach that could help prevent losses from a larger breach.
SlashNext Targeted Phishing Defense Console
Automation also enables notification the moment an employee visits an unblocked and previously unknown compromised phishing or social engineering page. Alerting security teams immediately an event occurs enables them to instantaneously notify the employee, lessening the chance that they or their machine is compromised. All these capabilities help reduce the time to discovery significantly and empower security teams to remediate threats before the compromise has fully taken effect.
Interested in exploring how you can reduce your time to discovery? Try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.