Why do breaches slip through the cracks?

When it comes to minimizing the damage caused by a cyberbreach, the difference between a major data loss and a minor security annoyance often comes down to the time required to identify and counter the attack. Although this relationship between response time and breach consequences may seem self-evident, we regularly read about cyberattacks that went undetected for days, weeks, or months before being recognized. Of course, the most successful of these so-called advanced persistent threats (APTs) are never detected at all.

Given the potential consequences, why aren’t we better at quickly detecting cyberattacks? One reason is simply that attackers have become very sophisticated in quietly gaining entry to targeted servers and databases. Once in, the intruders do all they can to mask their presence and their activity, which can range from simply exploring the systems and defenses to stealing or corrupting data. Unless they publicly release stolen data or tip their hand in some other fashion, the attackers may take their leave after they’ve met their objectives with their victims none the wiser.

Despite the challenges APT attacks present, organizations are far from helpless when it comes to dealing with them. Most APT incursions occur via phishing attacks, malware-infected files and websites, or other social-engineering techniques that trick employees into taking risky actions. Employee education can go a long way to keeping APT attacks from getting into your networks and data centers in the first place.

There are also a number of automated threat detection systems that companies can deploy. They include behavioral analytics solutions that initially model normal employee behavior and data access requests, typical network traffic (both internal and external), and other “baseline” profile information. The systems can then detect activity that falls outside of the established norms and alert security pros that an APT incursion may have occurred.

Not surprisingly, there is significant variability among different companies in their ability to detect and counter APT attacks. The 2016 AT&T/IDC Global Cybersecurity Readiness Index study was able to use a number of variables to create four categories depicting the cybersecurity readiness of different companies. The most mature and prepared of these companies fell into the top “progressive” category of cybersecurity readiness.

Among other attributes, it turns out that progressive companies are much more likely than their peers to have deployed APT detection and mitigation technologies. The AT&T/IDC study found that 70% of progressive companies are using these APT solutions. By contrast, less than 20% of the companies in the bottom “passive” cybersecurity readiness category have deployed APT detection and mitigation technologies.

In the cat-and-mouse game of APT intrusion and detection, it’s difficult to know who – attackers or defenders – has the advantage at any point in time. What is certain is that APT attacks will only grow more sophisticated and stealthy, and APT detection and mitigation solutions will constantly improve in power and effectiveness. Organizations need to keep abreast of both APT threats and APT countermeasures, and ensure that their defenses are as current and capable as possible.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies, and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Cybersecurity market research: Top 15 statistics for 2017