The hack of over 500 million Yahoo accounts could be the largest to hit a single email provider. It is also a big blow to the former Internet giant, now struggling to hold back its user base. Yahoo claims over 1 billion monthly users over its multitude of services, though the exact number of email users in now knows.
Rajpreet Kaur, Senior Research Analyst at Gartner, says the main challenge organisations are facing these days is the increasing gap between “time to compromise vs time to discover”. Organisations need to invest more on breach detection and response, she says. Interestingly, the Yahoo breach happened in 2014.
“As per Gartner’s Strategic planning Assumption, by 2020 60 per cent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20 per cent in 2015. The disparity between the speed of compromise and the speed of detection is one of the starkest failures discovered in breach investigations,” Kaur said.
She quoted a 2015 report by Mandiant which said the average targeted malware compromise was present for 205 days before detection, the longest presence was 2982 days, and 69 per cent were discovered by external parties, not internal IT security functions. Additionally, the 2015 Verizon Data Breach Investigations Report highlighted that, “in 60% of cases, attackers are able to compromise an organization within minutes”.
“All organisations should now assume that they are in a state of continuous compromise. However, organisations have deluded themselves into believing that 100 per cent prevention is possible, and they have become overly reliant on blocking-based and signature-based mechanisms for protection. As a result, most enterprises have limited capabilities to detect and respond to breaches when they inevitably occur, resulting in longer ‘dwell times’ and increased damage,” she said.
Kaur suggests that organisations should work towards building an intelligence driven SOC and use it to inform every aspect of security operations. To meet the challenges of the new “detection and response” paradigm, she says, an intelligence-driven SOC also needs to move beyond traditional defenses, with an adaptive architecture and context-aware components.
She further adds that organisations would do well to deploy network and end point forensic tools for improved response capabilities post compromise; use advanced analytics to operationalise security intelligence and deploy an adaptive security architecture.