Ask the Expert: What is the 1 hour 58 minute breakout time and why is it so important for businesses’ security to beat it?

This week’s Ask the Expert is answered by Zeki Turedi, Technology Strategist, EMEA, CrowdStrike.

Ask the Expert: How can businesses protect themselves from constantly evolving threats? What is the 1 hour 58 minute breakout time and why is it so important for businesses’ security to beat it?

The threat landscape is ever changing and organisations need to keep track of specific threats, bad actors, and techniques that continue to cripple companies on a global scale. The UK is on the front line for cyber-attacks and our businesses are a key target due to the intellectual property and personal data they hold.

Looking back at some of the biggest threats from last year, WannaCry caused widespread devastation across the health sector leaving large and small organisations with no working IT infrastructure in a matter of minutes. Based on military-grade espionage techniques, this epidemic was propagated through Eternal Blue, an exploit in Windows systems, which fell into the wrong hands. What made this attack so crippling was that systems were already immune to traditional endpoint defence technologies, something that organisations had relied on for over 20 years. To protect themselves from these types of attacks, businesses need to enlist new security technologies and look for approaches that go beyond simple signature-based prevention.

Tactics and exploits used by eCrime groups are frequently picked up by nation states and vice-versa so these will likely proliferate. It takes more than patching and legacy AV to stand up to the increasing and different types of threat. Whitelisting, behavioural analytics and machine learning can each add a degree of improvement over signature-based detection. AI and the speed and power of the cloud are crucial to offer detection of new ransomware variants, and to identify and block attacks in the early stages before they can fully execute and inflict damage.

Email compromise has also grown rapidly over the past year and is big threat to individuals and enterprises. In 2016, the Internet Crime Complaint Centre (IC3) received 12,005 business email complaints, amounting to losses of more than $360 million USD. Criminals compromise legitimate business email accounts via social engineering or computer intrusion techniques to conduct unauthorised transfers. We’ve observed a number of scamming techniques including wire transfer attempts, payroll fraud and compromises that lead to spam and eCrime campaign, namely using the Netwire remote access tool, linked to Nigerian fraud companies affected companies in the energy, travel, financial and hospitality sectors.

Looking ahead, businesses will be under even more pressure to tackle breaches fast. Being aware of the current threats to your enterprise, making sure you have the right systems in place, and knowing how to respond rapidly are essential skills for security teams.

Our Global Threat Report identified that in 2017 it took an intruder an average of 1 hour and 58 minutes to break out from their entry to other parts of a computing system. This means that once an attack has compromised your network, they can start moving laterally to other parts in under two hours. Security teams have this very small window of time to detect, investigate and then contain an intrusion before it becomes a breach. Businesses with a clear, rapid response protocol should be able to detect threats within 1 minute, investigate the threat within 10 minutes, and remediate it in one hour.

Well prepared business should be able to resolve a breach in no longer than this. However, there are also a few methods that can help slow down attackers and make their attempts at lateral movement more visible, giving businesses more time to address and destroy the attacker. These include limiting user account permissions, application whitelisting, segregating users and networks, and aggressively applying available patches.

To defeat these threats, businesses need to be able to beat the 1 hour 58 minutes average. It’s necessary for enterprises to shift from being reactive, to using proactive cybersecurity techniques focused on identifying malicious behaviour.