The Unacceptable Time Gap Between a Breach and Its Detection

A recent report from NUIX stated that an attacker only needs 15 hours on average to breach a system and identify critical data.

A recent report from NUIX stated that an attacker only needs 15 hours on average to breach a system and identify critical data. 88% of attacks originate via social engineering which means that traditional security controls such as firewalls, NAC and other network security tools will not block them. Cyber-criminals recognize that security teams prioritize certain areas and redirect attacks accordingly.

Various breaches over the last few years including Marriott, Equifax, Adult Friend Finder and Yahoo underscore that our industry’s concept of security is failing. Time and time again, these large companies with substantial security budgets and resources were defeated by attackers.

What makes these breaches so head scratching and disturbing is their lengthy detection times. On average, it is taking 191 days after to uncover the breach. Think of the damage that can be done during this span.

— Lumu Technologies

So why the massive lag?

Security experts will point out that organizations are all in when it comes to breach prevention, but light when it comes to breach detection. With social engineering, breaches will unquestionably continue to happen…even with the best controls. So why not focus more on what can be done to shorten detection and response times?

According to Anton Cuvakin, a security researcher at Gartner, the bigger issue is the complexity of networks. There is an overload of data that an organization has to comb through to find anomalies. Key system alerts can go unheard which brings me to my next point.

We all know our industry is experiencing alert fatigue. To overcome this challenge, we need to apply algorithms that scrub and display what truly matters. We also need to work with preexisting information that doesn’t complicate the situation.

We at Lumu believe enterprises already have all the necessary information, but they need to be in a position to efficiently connect the dots. When Petabytes of information are assigned to a limited human resource, we absolutely must be precise and definitive in what we show.

If you think a missed alert or delayed detection will not happen on your network, then consider the Citrix breach. An attacker remarkably resided on the network for a full decade before ultimate detection. Think about how many employees came and went during this span.

— Lumu Technologies

Citrix surely updated their technology with new firewalls and controls, yet the attacker remained. Clearly it is not just about technology but more about our overall approach.

What can we do to avoid a 10 year or even 191-day detection gap? The first step is to acknowledge you are probably already compromised. Your pentest report may say otherwise, but you must understand attackers will find a way.

When you accept the enemy is inside, you stop thinking about vulnerabilities and start thinking about IOCs (indicators of compromise). Your mission shifts to detecting breaches with speed and ultimately blocking the cybercriminal’s target: data exfiltration.

With this new mindset, static analysts transform into engaged detectives who proactively uncover anomalous behavior. Security teams start embracing and leveraging the fact that criminals are placing their fingerprints all throughout the network.

DNS queries within your logs are gold when it comes to obtaining and matching fingerprints. They allow you to see all network activity and zoom in on suspicious activity. The challenge is separating out the noise.

By pointing your DNS queries to Lumu, it is easy to see meaningful alerts that enable you to detect breaches with speed. Start your free trial today at

NUIX Report Link:

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post


Lumu's new ROI calculator for cybersecurity

Introducing Lumu’s New ROI Calculator

Reading Time: 2 mins The Lumu ROI Calculator is a free tool that helps organizations get an idea of the time and money they can save using Lumu. The assessment is designed to enable informed decision-making when it comes to finding the right solution.

EDR evasion feature image

EDR Evasion: How Hackers Get Past Endpoint Defenses

Reading Time: 11 mins EDR Evasion includes a suite of techniques that hackers use to elude endpoint defenses. Discover how hackers evade Endpoint Detection and Response (EDR) systems using various techniques. Learn about the common tactics used by cyber attackers to bypass endpoint defenses and how to better protect against these stealthy attacks.