EMEA companies take three times longer to spot security breaches
Mandiant says EMEA organisations take 469 days to detect breach compared to 146 day global average
Organisations in the EMEA region take as much as three times longer than global counterparts to detect when their systems have been compromised, according to research by FireEye's consulting arm, Mandiant.
The Mandiant M-Trends EMEA report shows that EMEA organisations took an average of 469 days to detect compromised systems, versus the global average of 146 days.
Organisations in the EMEA region were also much more likely to have to find breaches for themselves, with a much lower incidence of external agencies detecting threats. Only 12% of the observed compromises of organisations in EMEA were detected by an external source, compared to 53% of detections globally, and in 88% of incidents EMEA organisations discovered the breaches themselves.
"With threat actors targeting EMEA organisations with a multitude of motives from strategic intelligence to media impact and brand damage, concerns around advanced cyber threats have swiftly spread from the IT department up to the boardroom," said Stuart Davis, director at Mandiant. "The majority of organisations need to move away from the traditional methodology of responding to incidents as otherwise the dwell time will not decrease at a fast enough rate. This, coupled with the fact that some EMEA governments are at various levels of maturity with their national CERT capabilities / mandate has resulted in businesses being under tremendous pressure to detect threats themselves and, according to our statistics, they simply have not been quick enough to do so. From our observations, there are clearly some stark contrasts between EMEA and the rest of the world, which boardrooms in the region need to address."
The report was based on data collected during investigations conducted in EMEA by Mandiant's consultants during 2015. Researchers found that not only were EMEA organisations more likely to have to detect threats themselves, rather than relying on external intelligence, but they were also more likely to have already conducted their own forensic investigations which failed to eradicate the threat, and were also likely to be compromised again within month of an initial breach.
The company said that the long average time before threats were detected meant that attackers had plenty of time to carry out malicious actions. The most common targets for data theft were database content (19%), infrastructure documents (18%) and intellectual property (18%).
"Fifteen months provides ample time for any attacker to progress through the full attack lifecycle and achieve multiple goals within their mission objectives. To put this into perspective, Mandiant's Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment. Once domain administrator credentials are stolen, it is only a matter of time before an attacker is able to locate and gain access to desired information," the report said.
The most common attack vectors in EMEA were compromised web servers (38%), spear phishing (25%) and social engineering (13%).
The low detection rates and high levels of re-infection suggests that organisations are still opting for traditional forensic methodologies, only analysing a handful of machines, and using unsuitable techniques to hunt for attacks which result in a failure to understand the true scope of the incident. Mandiant researchers said that organisations in EMEA should focus on enhancing their overall security posture through improved incident detection and response capabilities.