The study found that 75 percent of organizations reported having fixed time limits for investigating potential security incidents.
The study found that 75 percent of organizations reported having fixed time limits for investigating potential security incidents.

A recent study revealed that 44 percent of organizations in the U.K. fail to meet deadlines for investigating and reporting data breaches, and a lack of staff and automation may be to blame.

Three-quarters, or 75 percent, of organizations reported having fixed time limits for investigating potential security incidents and 7 percent said a missed deadline resulted in serious consequences, according to Balabit's Contextual Security Intelligence (CSI) report, which queried more than 100 IT and security professionals about security incident investigations.

Of those that had a fixed time limit to investigate a potential breach, 40 percent said it was done within a few hours, 14 percent said it had been done by the end of business day, 11 percent said it was within a few days, and five percent said within a few weeks or within a few months, respectively.

When asked if they were required to report the incidents to external authorities or other entities within a predefined time limit, 45 percent responded in the affirmative, 25 percent reported there was no time limit for reporting and 30 percent, said they do not need to report.

It's not a surprise to see a percentage like this and the percentage of organizations that can meet breach deadlines will most likely increase with the proliferation of RASP, DevOps and machine learning, Prevoty CTO and Co-Founder Kunal Anand told SC Media via email comments.

“Most organizations that deploy applications and manage electronic data lack visibility into what's happening in production environments. In the event of a breach, an organization has to look through all forensics to determine a root cause,” Anand said. “Unfortunately, most organizations lack the capability and maturity to consistently log security events and the protocols to review them for anomalies.

A lack of staff is another reason for the failure to meet deadlines as 55 percent of those surveyed had less than three people dedicated to investigating security alerts. The fewer the number of people on staff the less time on average each member will have to decide whether a security alert is a sign of an attack which needs further investigation or not.  

Twenty-five percent of respondents had between three and eight people dedicated to investigating security alerts, 8 percent had between nine and 15, 5 percent had between 16 and 50, and only 7 percent had more than 50.

Researchers noted that the results highlight that an average of 9.2 people on IT Security teams examining an average of 578 security alerts a day only have about 7 minutes per alert to decide whether they are under an APT attack.  

Automation helps organizations decide where to focus their efforts.

Researchers said in the report that automation could help address staffing issues by allowing it to cover the majority of the job to select usual activities based usual activities based on pre-de­fined rules and self-learning business intelligence algorithms, while only involving humans to handle unusual activities.

“Breaches are not created equal and it is especially difficult to know how big the issue is as one starts the investigation,” Balabit Product Manager Peter Gyöngyösi told SC Media via emailed comments. “As a result of that there's no single "good" limit that'd apply to all investigations and organization, rather one should strive to be as efficient as possible.”

Gyöngyösi went on to say the top priority must be to close false positives as fast as possible however, researchers must be sure to act quickly whenever presented with real breaches to prevent serious financial consequences.

"The Balabit survey identified that the primary reason for not being able to investigate data breaches in time is that organizations still do not understand their own data,” he said. “It is difficult for them to extract the necessary information from unstructured data with their existing tools and they lack the contextual information that would help transform this data into valuable, actionable information."

Jeff Hill, director of product Management at Prevalent, Inc. told SC Media it's important to remember that data and information are two separate things and while data is easy to collect it's much harder to gather valuable information from it.

“Investigating breaches is tedious, requires specific expertise, is increasingly difficult as attack vectors become more sophisticated, and is usually undertaken in a highly stressful and pressure-filled environment,” Hill said. “Current techniques often require the painstaking parsing of millions of logs and identifying subtle changes in behavior."