The leather-clad Trinity, of Matrix fame, runs an Nmap port scan against a target IP address, detects a vulnerable SSH service and, a few keystrokes later, has root access to the power grid. This is the view many hold of the cyber threats we face, but the 2011 Verizon Data Breach Investigations Report (DBIR) tries to downplay this scenario and paints a distinctly different picture.

“Similar to previous years, we continue to observe that in over half of cases, an attacker
needs a minimum of “days” to successfully find and compromise data.”

From Leather Pants to Dragon Tattoos
Let’s hope you’re not the target of the fictional heroines of hackerdom, but the Verizon quote above is only “half” the story. Verizon’s analysis also reveals that 33% of the breaches succeeded in “minutes”, and another 14% in “hours”.

This is precisely why TriGeo lives by the mantra “seconds count”.

With so many breaches progressing quickly from “point of entry to compromise”, why does the Verizon team “believe that organizations would be better served to focus less on the ‘real-time’ methods of detection, and more on the ‘this week’ methods.”?

It’s my view that suggestion is born out of sheer frustration, and the reluctant acceptance that some detection, discovery and containment is better than none. We noted in our blog post “Log Management: Bad News, Good News”, that the Verizon team found that none (zero, zilch, nada) of the breaches they investigated were detected with the aid of log analysis – real-time or otherwise.

A little damage goes a long way
Given Verizon’s findings, they’ve clearly set the bar pretty low and concede that the short-term goal is to move the discovery timeframe from weeks and months to days. The net result will be to “significantly reduce the damage done to your organization.”

This understandable, if misguided, advice is likely based on the assumption that real-time analysis is expensive, complex and generally out of reach – especially, for the midmarket audience that needs it most. This is arguably the reality with enterprise Security Information and Event Management (SIEM) products that come with six and seven figure price tags, require full-time administration and take months to deploy.

If that was your only alternative, I’d be inclined to agree – a little damage is better than a lot, but any data loss can still destroy your reputation and your organization.

This is Not Hollywood
You’re not “a few keystrokes away” from being a victim. Even the breaches that are successful in minutes-to-hours generate a lot of noise associated with their probes and failures. The attacks that take days, weeks or even months to succeed leave even more evidence in their wake. Evidence that is meaningless if you’re not watching.

Real-time log analysis is available, affordable and purpose-built for the midmarket – the new “growth market” for attacks, according to the Verizon report. It’s time to set the bar much higher, and get your own tattoo: “Don’t Tread on Me”.

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Michael Maloof. Read the original post at: http://blog.trigeo.com/2011/from-point-of-entry-to-compromise/