Comments by: Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center (CyRC)
Each year the IBM Cost of a Data Breach report provides a wealth of insights into the business impact of a data breach. This year, what caught my eye was the increase in the length of time it took to identify and contain a breach which increased by a week from the 2020 analysis to 287 days.
Arguably, the COVID influenced remote work environment we saw for much of 2020 shouldn’t have a large impact on breach identification and containment, but that wasn’t the case. Organisations who adopted more than 50% remote work saw an increase of 46 days to identify and twelve days to contain a breach.
With a remote workforce, normal IT defences are stretched to include the remote work environment which is fundamentally an unmanaged environment. It then isn’t overly surprising to find that compromised credentials, phishing and social engineering resulted in times to identify and contain a breach that exceeded the baseline of 287 days.
This situation might cause some business leaders to focus their cyber defence efforts on the people side of the security equation, but the telling stat relates to how long it took to identify and contain a breach associated with third-party software.
With several high profile software supply chain attacks in the last six months, it should be deeply concerning to learn that in 2020 it took 286 days on average to identify and contain a breach that started based on an exploited software vulnerability. While some zero-day attacks will factor into this stat, the reality is that software patch management is automation friendly making this stat something that is resolvable.
Since it isn’t resolved, that speaks to a blind spot in patch management – one which likely is based on an assumption that vendors push update notifications to their customers. That assumption may be true for some commercial suppliers, but it isn’t true for open source software or otherwise freely downloadable software.
After all, if the download site doesn’t know who you are, they can’t push updates to you. The means that any patch management solution that doesn’t have a complete inventory of all software used in a business, regardless of origin, can’t possibly identify all outstanding patches. Cyber criminals know such a blind spot exists, but closing it is easy.