Blumira released the 2022
State of Detection and Response Report, a new research report that
analyzed Blumira's security detections across log datasets of 230
organizations. The report revealed identity-based attacks and living off
the land behaviors as top threats organizations faced in 2021.
Blumira released this report under the backdrop of an
increasingly challenging threat landscape, with ransomware, software supply
chain attacks, data breaches, and more becoming an almost daily occurrence.
Attacker dwell time is also decreasing; ransomware attacks happen quickly from
initial compromise to infection and deployment.
According to IBM's 2021 Cost of a Data Breach Report, the
average time to detect and respond to a breach is 287 days. Breach lifecycles
that take longer than 200 days result in major impact and 35% higher breach
costs for organizations, pointing to the need for solutions that provide faster
time to detect and respond, including initial deployment.
"Organizations, especially small and medium-sized
businesses, need help with faster detection and response to keep up with latest
threats and protect against breaches," said Jim Simpson, CEO of Blumira.
"Expediting time to security for faster response is key to better overall
security outcomes."
An analysis of Blumira's average time to detect a threat was
32 minutes, while the average time to respond, or how quickly an organization
closed out a finding, was six hours. Compared to the industry average,
Blumira's time to detect and to respond is 99% faster.
Research Key Findings
Identity-based attacks surged - Access attempts were a
common theme, as the pandemic forced many organizations to move to cloud
services to support their remote employees. For organizations without a solid
understanding of their exposed attack surface, moving to a cloud environment
only highlighted that knowledge gap. Threat actors take advantage of those
knowledge gaps by exploiting, misusing or stealing user identities.
Attempts to authenticate into a honeypot, or a fake login
page designed especially to lure attackers, was Blumira's #1 finding of 2021.
Identity-driven techniques accounted for three out of Blumira's top five
findings at 60%.
Cloud environments are particularly vulnerable to
identity-based attacks such as credential stuffing, phishing, password spraying
and more. Rapid detection of these attacks can enable organizations to respond
and contain an identity-based attack faster, helping stop an attack from
progressing further.
Living off the land techniques are a common threat -
Research also observed usage of living off the land (LotL) techniques, or
threat actors leveraging built-in tools that make it appear as though they are
legitimate users within an organization's environment.
Among Blumira's top findings were various instances of living
off the land techniques, including: service execution with lateral movement tools, PsExec use
and potentially malicious PowerShell commands.
Taking place over days or weeks, these types of attacks can
go undetected by endpoint detection and response (EDR) solutions that rely on
the detection of known malicious tools. By that time, it may be too late-for
example, when an attacker introduces malware into the environment.
Microsoft 365 Activity - Microsoft 365 is one of the most
popular cloud productivity suites, and Blumira's findings revealed patterns of
Microsoft-related activity, including activity associated with password
spraying, lateral movement and business email compromise.
SIEM Adoption in 2022
Investing in solutions that provide faster time to detect
and respond, including initial deployment, can result in lower costs for
organizations. In keeping with market needs, Blumira recently launched the
industry's only free, self-service cloud security information and event
management (SIEM) for Microsoft 365; and new paid editions that enable IT teams
of all sizes to close security gaps and achieve rapid time to security.
To download the full report, click here.