The median dwell time for intrusions investigated in EMEA was 48 days in 2021, compared to 66 days in 2020 and 54 days in 2019.
M-Trends 2022 – Mandiant special report
Breach detection is lagging behind
Studies show that the average organization is rather slow in detecting a breach. The FireEye 2021 M- Trends Report cites a median dwell time - the time between compromise and detection - of 66 days for the EMEA region. Although statistics may vary from study to study, they all agree that there is still a lot of room for improvement when it comes to closing the breach detection gap. In many cases victims are not aware of a breach until regulatory bodies, law enforcement or other third parties notify them. As the Ponemon 2020 Cost of a Data Breach Report shows, the longer it takes to detect a breach, the more expensive it will be, with a global average total cost of a data breach of €3,51M. Therefore, reducing the time between intrusion and detection – and between detection and containment – has become imperative in any cybersecurity program.
Threat detection is all about turning your data into actionable alerts
The Cyber Kill Chain is a high level workflow employed by advanced attackers to compromise a target. We need to find a way to break this chain. Preferably as early as possible because it becomes more difficult and expensive the further along. There are several important components in Threat detection.
|Platform Lifecycle Management
||To detect potential security incidents, we need a Security Information and Event Management (SIEM) platform. A modern SIEM relies on a big data analytics engine and is able to process data of any volume, variety and velocity. It has to seamlessly scale with growing volumes and requirements, and be reliable and available at all times.
|Data Management and Monitoring
||We need to configure the SIEM platform to correctly consume ingested data by applying event types, field extractions and data models. Incoming data flows are being monitored for anomalies to detect and respond to broken flows.
|Use Case Lifecycle Management
||Threat detection is all about turning your data into actionable alerts. We developed a comprehensive library of best practice use cases, following a threat-driven approach, mapped against the MITRE ATT&CK framework. Our Use Case Lifecycle Management (UCLM) process keeps track of emerging threats to drive continuous improvement and stay on top of the evolving threat landscape.
|Threat Intelligence Management
||Threat Intelligence Management is the practice of aggregating, analysing, enriching and de-duplicating internal and external threat data to understand threats to your environment. Threat intelligence data is fed into the SIEM platform, which allows us to automatically correlate incoming events against known Indicators of Compromise (IOCs).
|Threat Profiling and Modelling
||We provide proactive use case recommendations based on the customer's threat profile. Threat profiling captures the business context, which is unique for each and every customer. Together we identify crown jewels and decompose service stacks. This allows us to understand what matters most to the specific situation of the customer.
Automated detection is best complemented with human intuition and experience through threat hunting exercises. We formulate hypotheses – assuming an attacker already got in without us knowing about it – and pivot historical data to test those. This allows us to evaluate detection use cases and discover potential gaps.
In order to outsmart our adversaries and catch them red-handed, we need to understand them first.