Search
  • Tom Cummins

Two Data Breach Trends To Know Today


Massive data breaches still regularly dominate headlines. But below the fold, there is good news.

Cyber + Co., No. 4

On April 4, FireEye released its annual M-Trends report. Two key trends identified in the report regard who discovered the breach and how long it took them to do so. And for both, the trendlines are moving in the right direction — one up, the other down.

  • Internal detection rate up. The percentage of breaches that domestic organizations detect internally, rather than learn about from an external entity (such as law enforcement), is trending up.

  • Dwell rate down. The median “dwell time” (the number of days from first evidence of compromise to detection of attacker activity) is trending down.

These two trends are also connected, since incidents that are discovered internally tend to have a much shorter dwell time.

Internal detection rate up

As recently as 2011, 94% of breaches were detected by outsiders such as law enforcement, customers, or security researchers. Only 6% were detected internally.

Today, 64% of domestic breaches are detected internally.

And this improvement has real-world consequences.

Incidents identified internally tend to have a much shorter dwell time.

Dwell rate down

As recently as 2011, the global median dwell time was 416 days.

That is, the the median number of days from first evidence of compromise to detection of attacker activity by the compromised organization was roughly 14 months.

Today, the global median dwell time is 101 days (a little more than three months).

This is still too high, of course, but it is a considerable improvement over just a few years ago.

And incidents with shorter dwell time tend to experience less data loss.

Moreover, the picture is even better domestically.

Regional variation

Thus, while the median dwell time in the Asia-Pacific region is a staggering 489 days, in the Americas it is 75.5 days. And although this is too high, it is substantially better than it was just a few years ago.

Dwell rate by mode of detection

For self-evident reasons, the mode of detection is also correlated with significant differences in median dwell time.

And incidents discovered internally have a median dwell time of roughly one-third of those discovered through external notification.

(Image courtesy of M-Trends 2018)

Note on the Data

These statistics are drawn from the breach investigations conducted by FireEye, a preeminent cybersecurity and incident response investigation firm. FireEye's market position may skew its statistics towards organizations who were notified of an incident by an outsider, since these organizations are probably less likely to be confident that they can investigate an incident that they failed to initially identify on themselves.

More from FireEye on the M-Trends annual reports is available here.

And hat tips to Joe Uchill and Paul Rosenzweig, who have posted on the 2018 report.

About Cyber + Co.

Cyber + Co. is a periodic review of cybersecurity issues relevant to small businesses.

About the Author

Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.