Targets for data breach or data leak detection & remediation

‍What does ‘good’ look like when it comes to detecting and remediating security violations?

 min read

The priority for InfoSec teams is to stop a data breach taking place or a data leak to happen or worsen. But what happens if they don’t succeed? 

This is an increasing reality. The tightly integrated nature of today’s technology systems, the evolving tactics of well-resourced hackers, and the mere fact that security is now reliant on the compliance of more employees than ever means that breaches & leaks are becoming a case of ‘when’, not ‘if’. Consequently, organisations must track their ability to react; in other words, how fast can they detect a leak or a breach, and mitigate their consequences. 

The first job is to understand what constitutes a data leak vs a data breach, so you know what you’re looking for.

The literal definitions are straightforward. A data breach has occurred when sensitive and confidential information is accessed by someone without permission, as a result of their persistence in trying to compromise a company's sensitive resources⁠—it involves an attack of some kind.

A data leak on the other hand is not malicious, rather accidental, and is usually caused by an unintentional exposure⁠—sometimes it's just someone finding a vulnerability that was already there, and may have actually existed for a very long time. It gets blurrier when someone shares sensitive data willingly (seeing it as required for their job, with it being the mere normal course of operations), sometimes with partners and external parties, but in a way that will eventually put this information at risk: it's perhaps sharing it with everyone having the link, instead of just specific parties, or with permanent instead of temporary access. Or perhaps even posting a database password to a Slack channel for immediate use... but which ends up remaining there until the end of times, ready for a malicious person to make use of it.

This raises all sorts of questions. Each organisation should have their own definitions and thresholds. Likewise, they also need their own set of targets for detecting and remediating intrusions; as well as spotting leaks before they get exploited by a malicious party. Some of these will be driven internally—think risk appetite, security capabilities, scale and variety of IT environment, and SLAs with customers, partners and suppliers. Other factors will be external, such as regulatory compliance.  

What’s more, an organisation may want different targets for different sorts of incidents and infringements. Breaches of highly sensitive and valuable information should be dealt with urgently. So too malware or DoS attacks, where the ramifications spread and grow with every passing minute. Data leaks may initially seem to pose less immediate danger—for example, an employee mistakenly sharing non-classified information—but nonetheless must be dealt with in a timely manner to avoid similar incidents happening again. If the company's cybersecurity culture is weak and does close to nothing to prevent employees from sharing sensitive information (in SaaS applications for instance), it's just a sword of Damocles constantly hanging above your head.

Despite these loose parameters, there are some broad standards that InfoSec executives can use to define the right detection and remediation targets for their organisation.

So what does good look like? Here are some statistics that InfoSec should arm their strategies with. 

  • 7 days - how long it takes an adversary to identify and take advantage of a known vulnerability. (Source: Automox)
  • 1hr 58m - the time it takes an intruder to move from the point of initial compromise to other machines and systems. Based on this, the 1-10-60 benchmark suggests that InfoSec teams have 1 minute to detect an attack in progress, 10 minutes to understand it, and 60 minutes to contain it. (Source: Crowdstrike)
  • 197 days - the average time it takes to detect a data breach. The energy sector has the fastest detection rate at 150 days, while entertainment companies take 287 days. (Source: IBM)
  • 205 days - the time it currently takes to patch an identified security vulnerability - known as Mean Time To Patch (MTTP). (Source: White Hat Security)
  • 69 days - the time it currently takes to contain a data breach once it’s been identified. (Source: IBM)
  • Indicators of compromise - though not a target as such, analyzing your network traffic for irregularities can provide early warning of an attack. These indicators include: unusual outbound traffic; anomalies in privileged user accounts; geographical deviations; a sudden increase in specific file requests; and mismatched port-application traffic, to name just a few. 

Setting targets is one thing; meeting them is another. Increasingly, automation is the key. Security automation software & sensitive risk cloud detection can look across your entire user base and surface area––to map sensitive data, alert you to data breaches as they happen, and trigger remedial measures in real-time. 


Get in touch today for a chat with our team and a demo of our product, or join our live webinar on April 20 about Cybersecurity Education and Enabling the 'Human Firewall', with the CISOs from Lemonade and tZERO Group.

Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.