What if I told you that a single change to your IT environment could save between 5% and 10% of information security costs? That sounds great but a rational person would respond with a question; “How much will this change cost?” After all, spending thousands to save hundreds makes no sense while spending hundreds to save thousands is good business. What if I then told you that the cost of the single change will be a fraction of cost savings? Furthermore, what if I told you that this single change would allow you to detect breaches more quickly and would reduce complexity all while directly reducing the cost of a data breach? Consider the following:
- Attackers go from initial access to lateral movement in an average of 1 hour and 38 minutes.
- Skilled nation-state attackers can go from initial access to lateral movement in less than 20 minutes.
- It takes weeks to months to effectively detect and contain breaches from most organizations.
- The cost of a data breach is directly related to the amount of time it takes to detect and contain the breach.
- Using traditional detection technologies, around 1 in 3 alerts seen by Security Operations Center (SOC) personnel are false positives resulting in higher IT/security costs.
- Cyber deception has been proven to be a high fidelity, low noise detection solution resulting in lower SOC operations costs.
- Cyber deception has been proven to reduce dwell time by 91% thereby significantly reducing breach costs.
Long story short, cyber deception can reduce dwell time and thus also reduces breach costs. That means that failure to consider cyber deception is an active decision to accept increased SOC costs, increased breach costs and increased breach harm.
Cyber deception is misunderstood by many. Some believe cyber deception is nothing more than honeypots while others view it as the “nice to have” cherry on the top of an already robust security program sundae. The belief that cyber deception is simply a rebranding of the honeypots of yesteryear has been addressed elsewhere. Over the following weeks we are going to discuss whether cyber deception is an optional or a mandatory component of any security program. We will also cover where cyber deception fits into different cyber security maturity levels. Let’s begin with understanding why cyber deception should be considered mandatory.
Dwell time is defined as the number of days an attacker is present in a victim environment before they are detected. According to the 2022 M-Trends report from Mandiant/FireEye, the median dwell time is 28 days. This information is derived from investigations Mandiant/FireEye conducted over a 15-month period from October 1, 2020, through December 31st, 2021. According to the 2022 Ponemon Institute Cost of a Data Breach study, the average amount of time it takes to detect an attacker is 212 days. These numbers can be a bit confusing and should be extremely concerning. There are two fairly obvious questions that stem from these data points. First, why is there a large discrepancy between the M-Trends report and the Ponemon Institute report? Second, assuming the M-Trends report is more reflective of your organization, should you be worried about dwell time?
As to why there is a large difference between the Ponemon and Mandiant/FireEye dwell time numbers, some speculation is required. The M-Trends report is derived from incidents handled by Mandiant/FireEye over a 19-months period. As such, it does not reflect an overall industry average but reflect the average (actually median) of organizations who contract with Mandiant/FireEye for incident response. These are typically organizations with “better than average” security programs and thus the M-Trends report reflects a best-case scenario. The Ponemon report data is derived from a study of 537 breaches and involved nearly 3,500 interviews. As a result, the data in the Ponemon report reflects a more typical organization. It is also likely that the difference between average and median could play a factor. If a relatively small number of incidents had exceptionally long dwell times, that could significantly affect the average (Ponemon) while having a relatively small impact on the median (M—Trends). Rather than debating whether the “real” number is 212 days or 28 days, it is more important to ask whether allowing an attacker to remain on your network for 212 days, or even for 28 days is acceptable.
Image provided by Canva.com