Organizations are failing at early breach detection

A recent finding by Gartner titled “Using SIEM for Targeted Attack Detection” is that 85% of breaches go undetected.  Those that are detected often occur far after the attack has taken place.  Some are on the extreme such as Nortel’s network that attackers accessed for 10 years before it was discovered while others are detected days or weeks later.  The failure to detect breaches quickly is not limited to external breaches such as those from hackers.  Carnegie Mellon found that theft of data by insiders, when discovered, is revealed on average 31 days later.

As you would assume, the longer a breach is left undetected, the more data is stolen.  Undetected breaches also increase the damage done to consumers because attackers have increased opportunity to use the data they steal by creating fake identities, ordering goods with stolen credit cards, committing fraud with stolen credentials among a host of other activities.  This is yet another reason why customers and clients are unhappy with organization’s responses to data breaches.

Early detection of breaches can reduce the impact of the breach by preventing additional data from being stolen and depriving attackers of the time they need to monetize their stolen data.  It also makes it easier to identify attackers who have less time to cover their tracks.  Valuable data such as server logs are often overwritten over the course of time and it becomes harder for employees to remember details of the date and time in question.

Companies can improve response time by implementing real-time monitoring solutions with alerting functions.  In order for real- time monitoring to be effective, the organization will need to have trained employees who will receive the alerts.  This may involve several shifts to cover the entire day or persons who are on call.  Of course, real-time monitoring can also be outsourced.

A well-defined incident response plan will also aid in quickly and effectively addressing a data breach when it does occur.  Identify persons inside the organization and consultants or outside experts who can help when the breach occurs.

Feel free to download the early breach detection ribbon below as a reminder.

About The Author

Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.


  1. We use Microsoft System Center tools to monitor and aggregate the logs from servers. What tools do you recommend that work with Microsoft Center Center for breach detection? I think we are using forefront.

    1. Allen,

      Microsoft System Center will collect and analyze the logs from Windows servers using its Audit Collection Services (ACS) but it does not include pattern matching algorithms for events from linux machines and network infrastructure devices such as switches and firewalls which can be important in detecting breaches. You might need a second solution to manage these devices. Script an export of the System Center logs to the other tool if you want a single dashboard of events.

      Forefront and system center work well together to implement network access control, antivirus, antimalware and a form of host based intrusion detection but forefront does not include Data Loss Prevention (DLP) features such as auditing the use of removable media such as flash drives. You can, however, add in extensions to accomplish this. Here is an article that discusses extending this functionality. and here is a video on the Squadra extension. (NOTE: This is a technical video)

Leave a Reply