HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cyberattack Detection: Confidence High Even If Detection is Often Slow

Detecting a cyberattack promptly is critical in order to minimize the damage caused, but how quickly are cyberattacks actually detected?

Tripwire, a leading provider of advanced security and compliance solutions, set out to find out whether IT professionals believed they had the technology and policies in place to enable them to identify a cyberattack rapidly.

For the study, 763 IT security professionals from public sector organizations and the energy, financial services and retail industries were asked about the efficacy of seven key security controls that should be implemented to detect a cyberattack while it is taking place.

  • Accurate hardware inventory
  • Accurate software inventory
  • Continuous configuration management and hardening
  • Comprehensive vulnerability management
  • Patch management
  • Log management
  • Identity and access management

The results of the study have been published in the Tripwire 2016 Breach Detection Study.

Please see the HIPAA Journal Privacy Policy

Confidence High in Ability to Detect a Cyberattack…

The majority of respondents were confident that the measures they had put in place to detect a cyberattack would be effective at identifying an attack when it occurred, although a high percentage of respondents were not aware how long it would actually take to identify an intrusion or unauthorized device connected to the network.

When asked how long it would take for automated security solutions to send alerts to system administrators of a change to the configuration of an endpoint device, only 33% of respondents said they knew how long that configuration change would take to identify. 40% said they had a general idea of the time frame, while 27% either did not know or did not use automated tools to check configuration changes, even though changes to the configuration of end point devices is potentially a sign of malicious activity.

… Although Potential Intrusions May Not be Detected for Some Time

Of the respondents that did use automated solutions to monitor for configuration changes, 31% said that they would be alerted within minutes and 40% said it would take a matter of hours to identify configuration changes on networked devices.  However, just over one in five (22%) respondents said that it would take days to identify these potential signs of a cyberattack. 4% of respondents would not find out for weeks, and 3% would not find out for months.

Should an unauthorized device connect to a network, 8% of respondents said that their automated systems would not be able to detect it, while almost 13% of respondents were unsure if their systems were capable of detecting an unauthorized device. Only 79% of respondents could confirm that they would be able to detect an unauthorized device connecting, although almost 35% of respondents were not aware how long it would take.

When asked how long it would take for an alert to be generated, 46% of respondents said they would find out in minutes and 41% said it would take hours. 10% of respondents would not find out for days.

When it came to monitoring for unauthorized data access attempts, only 58% of companies with an annual revenue of $250 to $500 million would be able to detect all attempts. That figure rose to 68% for companies with an annual revenue in excess of $5 billion.

When security vulnerabilities were detected it often took companies longer than a month to plug the security holes. Almost half of federal government organizations were not able to detect or remediate security vulnerabilities within 15 to 30 days.

Healthcare respondents were asked about the success rate of implementing patches. 53% of respondents said they were successful more than 80% of the time. 29% said they were only successful 70%-80% of the time.

While technologies have been implemented to protect against cyberattacks and identify potential intrusions and malicious activity, many IT professionals were unaware how quickly they would discover a potential attack.

According to Tim Erlin, director of IT security and risk strategy for Tripwire, “IT managers and executives, who don’t have visibility into the time it takes to identify unauthorized changes and devices, are missing key information that’s necessary to defend themselves against cyberattacks.”

The survey was conducted by Dimensional Research. Further information on the breach detection study can be viewed on this link

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.