EMEA Attack Dwell Time Hits 175 Days

Written by

EMEA organizations take around 2.5 months longer to spot hackers inside their networks than the global average, but are getting better at discovering breaches internally, according to FireEye.

The security vendor’s annual M-Trends report put the global median dwell time at 101 days, growing to 175 days for EMEA, but standing at just 75.5 days in the Americas.

Dwell time is important as the longer an adversary is inside an organization’s network, the more information they could lift, the deeper into private systems they could penetrate and the more expensive the eventual clean-up and remediation may be.

On the plus side, global organizations are getting better at finding the attackers themselves, rather than being notified by law enforcement or another party.

Globally the median dwell time for internally discovered incidents was 57.5 days, dropping to 42.5 days in the Americas and just 24.5 days in EMEA.

Stuart McKenzie, vice-president of Mandiant at FireEye, claimed the growth in EMEA median dwell time of 40% from the previous year was disappointing, especially given the imminent arrival of the General Data Protection Regulation (GDPR), which mandates that organizations get better at spotting and preventing breaches.

“However, on the positive side, we’ve seen a growing number of historic threats uncovered this year that have been active for several hundred days,” he added. “Detecting these long-lasting attacks is obviously a positive development, but it increases the dwell time statistic.”

FireEye also claimed that skills gaps within organizations may be affecting their ability to respond quickly to incidents: either because staff aren’t experienced enough to spot attacks, or that they over-rely on automated systems which themselves have been poorly configured by inexperienced staff.

The finance sector was the hardest hit in EMEA, accounting for 24% of Mandiant investigations last year, followed by government (18%).

Interestingly, the report revealed that firms targeted once are likely to be hit again: 59% of Mandiant detection and response customers globally were targeted by the same or a similarly motivated group, and 49% of customers that experienced at least one “significant” attack were successfully attacked again within the next year.

What’s hot on Infosecurity Magazine?