Companies react too slowly to hacker attacks. This is the result of the Global Security Attitude Survey 2019, which surveyed 1,900 IT decision-makers and security experts from the USA, Canada, the UK, Germany, Japan, France and other countries. It clearly shows that companies are still a long way from being able to meet attackers at eye level and put a stop to them quickly enough. On a global average, it takes them almost seven full days to detect, analyze and resolve attacks on their networks - in Germany even more than eleven days.

On the one hand, this situation is worrying, as hackers - especially state-organized attackers - act much faster. On average, cyber actors only need two hours to move towards the target after penetrating a company network (breakout time, see Global Threat Report 2019). Administrators therefore usually have less than two hours to detect an intruder and remove it from the system before it can compromise other IT systems from its original entry point and cause enormous damage. However, particularly fast attackers, such as groups organized by Russia, need less than half an hour to spread through the networks of target companies.

On the other hand, the situation described is critical because no company has been immune to malicious attacks with serious consequences for a long time. No one can close their eyes and claim that they are not of interest to hackers from abroad or with financial intentions. Every company is exposed to this danger and can regularly observe attempted attacks on the company's own network. It is generally accepted that speed is the key factor in protecting against such threats. But what does this mean in detail and how can sufficient speed be determined?

Components of a rapid response

The general demand for speed is difficult to grasp, so concrete reference values are needed. The 1-10-60 rule can help companies. It is a metric that IT managers can use to measure the response times of their team. The rule itself is derived from the capabilities of the world's best IT teams and the attack times of the fastest attackers. The 1-10-60 rule should be understood by companies as a guideline for their IT security. It represents the gold standard, so to speak, and consists of the following three components:

Detect: A security incident must be detected within one minute.

Investigate: In order to take the right action, the incident must be analyzed, understood and classified within 10 minutes. This part consists of triage and the actual investigation.

Containment: The attacker must be removed from the network within 60 minutes so that they can cause as little damage as possible.

The study asked the participants whether these times are adhered to in their respective companies. As a result, only five percent stated that their measures to defend against malicious processes in the network are so effective that they comply with the 1-10-60 rule. Almost all of them are therefore too slow and must assume that sooner or later an attacker will penetrate far enough to cause serious damage. 95% of companies in the world's most important industries are not sufficiently prepared to respond to attacks from the biggest cyber adversaries within the breakout time. The majority of respondents (80 percent) state that they have not been able to prevent intruders from accessing their target data in the last twelve months. According to 44 percent, the reason for this is that detection is too slow.

The most important results for German companies

The assessment of the experts surveyed in German companies regarding existing response times is particularly sobering in an international comparison. In a global comparison, they are well below average. You need:

184 hours to detect an attack; the global average is 120 hours.

11 hours to analyze them; the global average is also 11 hours.

75 hours to fix them; the global average is 31 hours.

In contrast, German companies are much better at analyzing the identities of hackers. In 53% of cases, they can clearly identify the attackers, putting them on a par with the USA. As far as the type and identity of the attackers are concerned, German companies are particularly worried about falling victim to an attack by e-crime actors with a financial motivation and the associated ransom demands. Only 14% of respondents see attacks by groups coordinated by nation states such as China, North Korea or Russia as an immediate threat.

Misplaced trust in existing legacy infrastructure

Companies fail to achieve the reaction speed required to detect sophisticated nation-state adversaries targeting all types of organizations. It remains to be seen whether this is due to a false understanding of security and the associated lack of willingness to act, or a lack of know-how. What is certain, however, is that there is still too much trust in the existing legacy infrastructure. However, this does not meet today's security requirements, which require a holistic approach to stop threats. Forward-thinking organizations should therefore adopt an approach that provides teams with comprehensive visibility and protection to meet a wide range of security and operational requirements.

Tuncay Eren, Director of Sales at Crowdstrike / ag