A new report from independent research firm Vanson Bourne titled The 2019 Global Security Attitude Survey studies how organizations assess their cybersecurity readiness in the face of an increasingly complex global threat landscape. The CrowdStrike®-sponsored study surveyed 1,900 senior IT decision-makers and professionals across the U.S., Canada, U.K., Mexico, Middle East, Australia, Germany, Japan, France, India and Singapore, drawing respondents from a wide range of industries. Among the findings, the study indicates that an overwhelming majority of organizations lack the cybersecurity readiness to stop an intruder from accessing their networks and data. In fact, 80% of respondents reported that their organizations were unable to prevent intruders on their networks from accessing their targeted data in the past 12 months.

Why Intrusions Are Successful

Focusing on speed to detect, respond, and remediate as a key indicator of an organizations’ cybersecurity preparedness, the survey delved into the time it takes organizations to deal successfully with an intrusion. CrowdStrike has long recommended that organizations strive to meet the 1-10-60 rule — detect within one minute, triage in 10 minutes and contain and remediate within 60 minutes. However, the vast majority of organizations in this survey are far from fulfilling these metrics, which are dictated by what CrowdStrike calls “breakout time.” Breakout time measures how long it takes an intruder to start moving laterally within a victim’s network once a machine has been compromised. Organizations must be able to surpass breakout time if they are to stop an intruder before damage ensues. In the survey, respondents reported that it takes them an average of almost seven days working round the clock to detect, investigate and contain a cybersecurity incident — 162 hours. Containment alone takes an average of 32 hours once an incident has been detected and investigated. The survey also reveals that this lack of cybersecurity readiness is widespread, with 95% of respondents claiming that can’t get near the 1-10-60 time frame.

Where IT Teams Focus Is Key

Although 86% of survey respondents consider the ability to detect an intruder within one minute a “game-changer,” only 19% see detection as their primary focus for readiness. Almost double that — 39% — believe their primary focus should be on preventing access. When asked what is keeping them from achieving faster detection, the answers ranged from lack of cybersecurity resources, to shadow IT and network fragmentation.

At the investigation phase of the 1-10-60 rule, four in ten respondents found that having more knowledge of “the who, what and why” of an attack is essential. In fact, 67% feel that knowing more about their attackers and their motivations is critical to protecting the data the threat actor is targeting. However, the study also found that it takes organizations an average of five hours to triage a threat and six hours to fully understand it — and only 53% of respondents report ever being able to discover the identity of the threat actor they are dealing with.

When it comes to containment and remediation — 33% believe they can accomplish this within an hour, once the attacker is detected and investigated. However, because average detection and investigation times are so protracted, achieving complete recovery within an hour seems unlikely.

Types of Attacks Vary

Earlier this year, CrowdStrike released the The 2019 Global Threat Report that provided valuable insights into the cyber adversaries organizations face and the type of tradecraft they are leveraging to carry out their attacks. The threat report also delineated the breakout times of threat actors, which highlighted the importance of knowing as much about your attacker as possible. Breakout times ranged from a mere 18 minutes for Russian adversaries — to over nine hours for eCrime actors.

The threat report also showed that some nation-state actors are employing typical eCrime objectives, like stealing money, while many eCrime actors are gaining access to more sophisticated nation-state-style tools via hacker forums. The prospects of advancing readiness in an evolving ecosystem of threats is further highlighted by the results of the security attitude survey: Globally, organizations are ill-prepared to thwart the adversaries that are targeting their networks.

Here are some additional findings from The 2019 Global Security Attitude Survey:

In comparison to the findings from last year’s survey, software supply chain attacks increased this year — more than doubling from 16% to 34% among the respondents. Surprisingly, this year’s study also shows that that concerns around these attacks actually diminished, from 33% of respondents in 2018 to 28% in 2019.

Ransomware continues to be pervasive: The number of organizations that paid a ransom to decrypt and retrieve their data grew substantially, from 14% in 2018 to 40% this year.

Organizations realize the danger nation-state attacks pose, with 94% of global respondents acknowledging that their organization might be at risk of a nation-state-sponsored attack. This risk was most significant for respondents in India (99 %), Singapore (99%) and the U.S. (94%).

Organizations Must Change Their Approach

While the 1-10-60 rule is the Gold Standard security teams should strive to achieve, the study clearly shows that organizations are severely lacking in their abilities to not only detect and prevent an attack, but also to respond to and remediate the incident. In fact, 95% of respondents acknowledge that something more needs to be done to prevent a breakout once an intruder is in the network. To improve their abilities to achieve this, they advocate a variety of solutions from increasing budgets, training and additional staff, to having a more comprehensive understanding of the attackers targeting their organizations, and taking a more proactive “threat hunting” approach to readiness.

Clearly, a reliance on legacy infrastructure, exacerbated by a lack of resources and expertise, has hampered organizations’ abilities to mount an effective defense against the adversaries they face.

CrowdStrike Recommendations

The 2019 Global Attitude Survey reveals that organizations need to speed up response times, adopt proactive behavior-based prevention techniques, and close the security gaps that make them vulnerable to attack. The following is a summary of the recommendations included in the report:

Employ Solutions With Threat Hunting: Forward-leaning organizations that are in the crosshairs of sophisticated adversaries should employ proactive threat hunting capabilities — whether via an internal team or by deploying a managed detection and response (MDR) service such as Falcon OverWatch™. This allows organizations to rapidly detect, investigate and remediate intrusions before adversaries can accomplish their objectives and cause a data breach. A focus on hands-on-keyboard activity versus alert management is critical.

Rapid Remediation Capabilities Prevent Small Problems From Becoming Large Ones: The availability of contextualized threat intelligence is critical to speeding investigation and response. Having this information at your fingertips allows security teams to understand incidents more fully and make more informed decisions to get ahead of future attacks. Falcon X™ is CrowdStrike’s industry-leading threat intelligence solution. Integrated with Falcon endpoint protection, it delivers the context you need to predict future attacks and deploy proactive countermeasures.

Next-Generation Security Solutions Are Key: Modern enterprises should employ solutions that offer both behavioral analytics and machine learning (ML) to stop malware attacks, and also go beyond malware to detect indicators of attack (IOAs) that can identify attacker activity as it’s in progress. This is key to eliminating or reducing damage. Integrating an endpoint detection and response (EDR) solution such as Falcon Insight™ will not only reduce the detection cycle, it operates at a pace that can disrupt the abilities and operations of adversaries targeting your organization. In addition, organizations can immediately raise their cybersecurity maturity levels by adding a comprehensive platform such as Falcon CompleteTM, which combines next-generation AV, EDR, proactive threat hunting, IT hygiene, and a team of experts, creating a single turnkey solution that handles all aspects of an organization’s endpoint security.

Proactive Security Is Critical: Preparing to deal with the next attack is an integral part of managing risk. That’s why proactively preparing and testing a security plan on a continual basis are necessary in the face of evolving attacker tradecraft. The CrowdStrike Services team not only provides market-leading Incident Response Services (see the Forrester Wave Incident Response Services, Q1 2019 and IDC MarketScape: U.S. Incident Readiness, Response and Resiliency Services 2018 Vendor Assessment reports) in the wake of an attack, but also offers organizations proactive services including tabletop exercises, red teaming, blue teaming, and other Advisory and Technical Assessment Services to ensure your cybersecurity maturity is at the level you need, providing an accurate evaluation of your current exposure and a roadmap for enhancing defenses.

Breakout Time Is a Critical Metric: As the survey reveals — very few organizations can even get close to achieving the 1-10-60 rule: one minute to detect, 10 to investigate and 60 to contain and remediate. In fact, it takes respondents an average of over 162 hours to complete those tasks. The CrowdStrike Falcon platform enables security teams to shorten the time to investigate and understand threats by providing deep context, seamlessly integrated threat intelligence and sophisticated visualizations.

Additional Resources