The Unacceptable Time Gap Between a Breach and Its Detection

A recent report from NUIX stated that an attacker only needs 15 hours on average to breach a system and identify critical data.

A recent report from NUIX stated that an attacker only needs 15 hours on average to breach a system and identify critical data. 88% of attacks originate via social engineering which means that traditional security controls such as firewalls, NAC and other network security tools will not block them. Cyber-criminals recognize that security teams prioritize certain areas and redirect attacks accordingly.

Various breaches over the last few years including Marriott, Equifax, Adult Friend Finder and Yahoo underscore that our industry’s concept of security is failing. Time and time again, these large companies with substantial security budgets and resources were defeated by attackers.

What makes these breaches so head scratching and disturbing is their lengthy detection times. On average, it is taking 191 days after to uncover the breach. Think of the damage that can be done during this span.

— Lumu Technologies

So why the massive lag?

Security experts will point out that organizations are all in when it comes to breach prevention, but light when it comes to breach detection. With social engineering, breaches will unquestionably continue to happen…even with the best controls. So why not focus more on what can be done to shorten detection and response times?

According to Anton Cuvakin, a security researcher at Gartner, the bigger issue is the complexity of networks. There is an overload of data that an organization has to comb through to find anomalies. Key system alerts can go unheard which brings me to my next point.

We all know our industry is experiencing alert fatigue. To overcome this challenge, we need to apply algorithms that scrub and display what truly matters. We also need to work with preexisting information that doesn’t complicate the situation.

We at Lumu believe enterprises already have all the necessary information, but they need to be in a position to efficiently connect the dots. When Petabytes of information are assigned to a limited human resource, we absolutely must be precise and definitive in what we show.

If you think a missed alert or delayed detection will not happen on your network, then consider the Citrix breach. An attacker remarkably resided on the network for a full decade before ultimate detection. Think about how many employees came and went during this span.

— Lumu Technologies

Citrix surely updated their technology with new firewalls and controls, yet the attacker remained. Clearly it is not just about technology but more about our overall approach.

What can we do to avoid a 10 year or even 191-day detection gap? The first step is to acknowledge you are probably already compromised. Your pentest report may say otherwise, but you must understand attackers will find a way.

When you accept the enemy is inside, you stop thinking about vulnerabilities and start thinking about IOCs (indicators of compromise). Your mission shifts to detecting breaches with speed and ultimately blocking the cybercriminal’s target: data exfiltration.

With this new mindset, static analysts transform into engaged detectives who proactively uncover anomalous behavior. Security teams start embracing and leveraging the fact that criminals are placing their fingerprints all throughout the network.

DNS queries within your logs are gold when it comes to obtaining and matching fingerprints. They allow you to see all network activity and zoom in on suspicious activity. The challenge is separating out the noise.

By pointing your DNS queries to Lumu, it is easy to see meaningful alerts that enable you to detect breaches with speed. Start your free trial today at

NUIX Report Link:

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post


Lumu Defender

Lumu Defender: Automating Threat Defense

Reading Time: 3 mins Lumu Defender lets you feed Lumu’s confirmed compromise instances into your existing cybersecurity stack for an automated response to cyber threats.

RSA Conference 2023 Recap

RSA Conference 2023 Observations: Embracing the Paradigm Shift

Reading Time: 4 mins RSAC 2023 brought the cybersecurity world together in San Francisco. While there is a general consensus that a paradigm shift is needed in cybersecurity, it is clear that we would be stronger still if there were consensus around what that paradigm shift needs to look like.


2021 Cybersecurity Books to Read

Reading Time: 3 mins These holiday cybersecurity reads are sure to captivate and educate as we head into another eventful year for cybersecurity.