Summary Bullets:  

• It takes only minutes for a sophisticated attacker to breach an enterprise network, but it can take months to uncover their presence.

• Reducing that time to discovery can minimize the damage done, but there are multiple ways to try to achieve faster detection.  Which route should you choose?

I had an interesting conversation the other day with a company in the still fairly small market niche called incident response, and it got me thinking about the evolution of the threat landscape and the time that it takes enterprises to respond to new market conditions – especially in the security market.  I think by now most large enterprise security administrators and CISOs understand that it is not a matter of if, but when their organization will experience a breach – one that could potentially be very painful for the whole organization.  But recognizing that sad fact does not help those administrators and executives understand the most effective way to tackle the new challenge presented by more sophisticated, stealthy, multi-stage attacks.  Exacerbating their dilemma is an increasingly porous enterprise perimeter, where computing workloads are shifted outside the traditional DMZ and end users are allowed (or go around policies that prohibit) access to corporate data from their own smartphones, tablets and even laptops.

But one thing is clear: the longer a stealthy attacker sits undetected in the enterprise network and its endpoints, the more damage they can do.  Verizon in its 2012 breach report found that in the vast majority of the breaches it reported for 2011, it took only minutes or seconds from the time the attack was initiated to the time of compromise.  At the same time, for just over half of those incidents, it took months to discover the initial compromise, and for almost a third it took weeks to discover.  Already vendors hawking a range of security products have seized on this fact to try to sell into this new threat landscape, whether they have the right tools for the job or not.  Is a more broadly deployed security information and event management system the right tool?  Or a network forensics product?  Or are incident response products and/or services such as those offered by Access Data, Guidance Software and Mandiant the best solution?  The answer will be different for each organization, and won’t be attained without a lot of research and a clear understanding of what the real requirements are and how much the organization’s CFO is willing to spend.  In the meantime, vendors looking to cash in on this new security pain will crank up the hype machine, causing plenty of confusion and lengthening the decision making cycles.  How long it will take for the smoke to clear is anyone’s guess.  How is your organization responding to the new threat landscape realities?  Do you agree that breaches are inevitable?