EMEA Companies Lagging on Breach Detection

Companies in the EMEA region take three-times as long to detect security breaches compared to their global counterparts, new research has revealed.

The figures come from Mandiant’s M-Trends EMEA Report, which found that across Europe, the Middle East and Africa, the average ‘dwell’ time between compromise and detection was 469 days. That’s way above the global average of 146 days. That gives attackers ample time to locate and access the data they’re after before any defensive steps are taken.

Mandiant, owned by security firm FireEye, says the figures from the report suggest many companies across EMEA simply don’t have security in place to stop or even detect advanced threats.

Business often struggle with detecting breaches because they use the ‘follow the breadcrumbs’ approach. This means they analyze only a handful of machines and spider out to other potentially-infected machines.

However advanced threats are much more intelligent than that, and with lateral movement can hide away on big enterprise networks and machines to avoid detection.

It’s because of this that some breaches remain hidden for so long. This approach can miss some of the machines affected by the malware and so the true scope of the infection remains unknown. It also has the knock-on effect of companies being re-infected within a few months of the original breach being detected, Mandiant said.

Although it is very difficult to establish exactly how much data is compromised in these attacks, Mandiant says it found on average 2.6GB of data was stolen. However, it’s possible that the true figure was far higher - logs refreshing over time and the long dwell time mean there could have been more data leaving an organization.

EMEA companies rely heavily on internal notification tools to detect breaches, rather than external, third-party notifications. Just 12% of the compromises Mandiant analysed were detected by a third-party, the rest (88%) were detected internally. This is in stark contrast to the global figures, where the figures were 47% internal and 53% external.

Mandiant says these methods of detection are not doing businesses in EMEA any favors. “The majority of organizations need to move away from the traditional methodology of responding to incidents as otherwise the dwell time will not decrease at a fast enough rate,” said Bill Hau, vice-president of Mandiant Security Consulting Services, FireEye.

“This, coupled with the fact that some EMEA governments are at various levels of maturity with their national CERT capabilities/mandate has resulted in businesses being under tremendous pressure to detect threats themselves and, according to our statistics, they simply have not been quick enough to do so,” he added.

What’s Hot on Infosecurity Magazine?