In companies, it is always important to detect hacker attacks as early as possible. A behavior analysis helps to shorten the "dwell time" of successful attacks.
In films, hacks are often portrayed as a kind of digital bank robbery: the hackers break through the protective mechanisms of their target in a dramatic way and then only have a few minutes to steal the coveted data, while IT security tries desperately to stop the attacker. The reality is very different, because in fact cyber criminals usually make themselves comfortable in the network and sometimes spend months or years there before they are discovered. If you have that much time, you can of course cause a lot of damage and the dwell time, called "dwell time" in English, is one of the most important indicators when analyzing successful hacks in order to determine how serious an attack was. In many cases, even a few hours of access can lead to a compromise of considerable amounts of data.
Attackers spend 56 days in the target environment before they are discovered
In a recent report, the global mean of the dwell time of cybercriminals before they were discovered was 56 days. This value was significantly better than that of the previous year, when the attackers still had a whopping 78 days before they were discovered. In some cases, however, violations went undetected for several years, with serious consequences for everyone involved. One of the reasons that attacks can go undetected for so long is that most organizations' networks expand. The larger, more dispersed and more disorganized such networks become, the easier it is for criminals to stay hidden. Once arrived, the attackers navigate the network undetected, scanning and exfiltrating data in the process. For companies that hold sensitive customer or secret research data, it is of course a nightmare to imagine that attackers could stay undetected in the network for months or even years. Numerous examples show how serious such long-lasting data leaks are for the companies concerned.
The nightmare of IT security: attackers in the network that have gone undetected for years
There are countless examples of companies falling victim to successful hacks with billions in damage. For example, the US financial services provider Equifax lost 2017 percent of its market value after a major data leak became known in 35, suffered immense damage to its reputation and paid more than half a billion US dollars in fines. The case of Cathay Pacific from 2018, in which 9,4 million passenger data was compromised, is also legendary and almost unmatched in terms of length of stay. It took Cathay Pacific more than six months to investigate, which uncovered a series of shocking revelations: The earliest known time of unauthorized access to the network was almost four years old, October 2014. So the attackers had been undetected on the network for a full four years! And as if this weren't already embarrassing enough for Cathay Pacific's IT security, the vulnerability through which the attackers penetrated was easy to exploit and, what's more, it had long been known to the public.
Both cases serve as warnings of what can happen in the worst case and as an example that the damage can be limited if the breach of IT security is detected as early as possible. It has long been recognized that every company is vulnerable and that it is only a matter of time before a security breach occurs. This raises the question of which solutions and skills IT security needs in order to be able to detect these malicious activities as early as possible.
Advanced behavior analysis offers a much better early warning system
Obviously, the skills and solutions used in many companies are not in good shape when attackers have an average of two months to make themselves comfortable in a target environment. When it comes to either preventing attacks altogether or shortening the length of stay, many security teams are in a rather lost position. Because many common security solutions produce one thing above all: false alarms. The teams have to spend a lot of time to process the flood of alarms manually. This leaves little, if any, time to deal with the even longer process of tracking down attackers who have already made it into the network and eliminating them.
One technology that is far more effective than manually assessing security alerts is behavior analysis. It can help identify suspicious user or network activity more effectively. Behavioral analysis solutions leverage pre-existing security incident logs, which means they already know the full scope and context of the related incident details. As a result, security analysts no longer have to go through large numbers of event logs to manually create incident timelines. By eliminating this time-consuming process, potential security breaches can be identified much faster, which means that security teams can quickly track down attackers and practically eliminate the attackers' dwell time.
Conclusion: The analysis of the behavior of users and entities detects threats earlier
Modern data protection regulations are stricter than ever, which means that companies simply can no longer afford to be complacent about data security. But with networks today larger and more dispersed than ever before, it has become unprofitable to protect them with traditional security tools and manual analysis. New technologies, such as advanced behavior analysis, eliminate the time-consuming detailed work that older tools require, avoid false positives and help identify real threats much earlier.
[starboxid=17]